How do I automerge dependabot updates (config version 2)?

问题

Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.

My .dependabot/config.yaml did look like:

version: 1
update_configs:
  - package_manager: "python"
    directory: "/"
    update_schedule: "live"
    automerged_updates:
      - match:
          dependency_type: "all"
          update_type: "all"

I've got the following working:

version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily

but I can't seem to add the automerge option again (when checking with the dependabot validator)?

回答1:

Auto-merge was disabled on the Dependabot into GitHub:

Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.

There are some hacks to accomplish this job, you can check GitHub dependabot-core issue #1973 for some ideas.

回答2:

Here is one solution that doesn't require any additional marketplace installations (originally found here). Simply create a new GitHub workflow (e.g. .github/workflows/dependabotautomerge.yml) containing:

name: "Dependabot Automerge - Action"

on:
  pull_request:

jobs:
  worker:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]'
    steps:
      - name: automerge
        uses: actions/github-script@0.2.0
        with:
          script: |
            github.pullRequests.createReview({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number,
              event: 'APPROVE'
            })
            github.pullRequests.merge({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number
            })
          github-token: ${{github.token}}

There are also various third-party solutions available on GitHub Marketplace.

来源：https://stackoverflow.com/questions/64116781/how-do-i-automerge-dependabot-updates-config-version-2