Skip to content

Instantly share code, notes, and snippets.

@mgagliardo91

mgagliardo91/Branch_Protection_Dependabot.md

Last active March 31, 2022 15:19
Show Gist options
  • Save mgagliardo91/a1cfee715ba96e4d7a8efc2409011d27 to your computer and use it in GitHub Desktop.
Save mgagliardo91/a1cfee715ba96e4d7a8efc2409011d27 to your computer and use it in GitHub Desktop.
Download ZIP
Branch Protection Dependabot
Raw
Branch_Protection_Dependabot.md

Branch Protection Dependabot

Adding dependabot

  1. Create a .github/dependabot.yaml file with the shape:
version: 2
updates:
  # For Node/NPM
  - package-ecosystem: "npm" 
    directory: "/"
    target-branch: staging
    schedule:
      interval: "weekly"
    labels:
      - automerge
 # For python/pip packages
 - package-ecosystem: "pip"
    directory: "/"
    target-branch: staging
    schedule:
      interval: "weekly"
    labels:
      - automerge
  # For all repositories with docker
  - package-ecosystem: "docker"
    directory: "/"
    target-branch: staging
    schedule:
      interval: "weekly"
    labels:
      - automerge

The above shows the a superset of a dependabot yaml file - you can list all of the different ecosystems that the repository uses. Ensure that you are only adding what the repo has.

The reason for the automerge label is to enable our automerge functionality.

Adding auto merge

The automerge capability we are adding allows dependabot to automagically merge their update PRs into our staging branch without manual intervention. This is incredibly useful because developers tend to avoid merging these dependency update PRs themselves and they will build up, and get stale.

To add auto merge:

  1. Create a .github/workflows/automerge.yaml file with the shape:
name: Automerge

on:
  pull_request:
    types: [opened, synchronize, labeled, reopened]

permissions:
  contents: write
  pull-requests: write

jobs:
  pr:
    if: contains(github.event.pull_request.labels.*.name, 'automerge')
    runs-on: ubuntu-latest
    steps:
      - name: Merge PR
        run: |
          gh pr merge --auto --squash --body="[ci skip]" "$PR_URL"
          gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  1. Next, navigate to the settings page of the repository and scroll down to the Pull Requests section. If you do not have access to this section, drop a message into DevOps.
  2. Check the box next to the option Allow auto-merge
  3. Finally, navigate to labels page of the repository. This can be found at the /labels path or by navigating to the Issues page and clicking the Labels button to the right of the filter box.
  4. Select New Label and create a label called automerge.

Adding automatic promotion PRs

To truly make our workflow simpler, this github workflow allows us to always have visibility of differences between staging and main by generating/and continuing to keep up-to-date, a PR from staging to main when differences are found.

  1. Create a .github/PROMOTE_TEMPLATE.md file with the shape:
## Description

<!-- Diff summary - START -->
<!-- Diff summary - END -->

## Commits

<!-- Diff commits - START -->
<!-- Diff commits - END -->

## Modified Files

<!-- Diff files - START -->
<!-- Diff files - END -->
  1. Create a .github/workflows/promote.yaml file with the following contents:
name: Promote Staging
on:
  push:
    branches: [ staging ]
  workflow_dispatch:

concurrency:
  group: "promote-staging"
  cancel-in-progress: true

jobs:
  promote-staging:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
    - name: Create Pull Request
      uses: devops-infra/action-pull-request@v0.4.2
      with:
        github_token: ${{ secrets.NIO_BOT_TOKEN }}
        source_branch: staging
        target_branch: main
        get_diff: true
        template: .github/PROMOTE_TEMPLATE.md
        title: "chore: promote staging"
  1. Add a CODEOWNERS file to the root of the repo with the following shape:
* @ndustrialio/devs

Ideally, you should set the @ndustrialio/devs value above to a group that should commonly be notified of these pull requests. The default value above will notify everyone. Other options are:

  • @ndustrialio/apps-team
  • @ndustrialio/paas-team
  • @ndustrialio/csi
  • @ndustrialio/graphiti-artists

So choose the one that makes the most sense.

Adding branch protections

This final step of standards here is branch protection, to ensure that we are not allowing merges when we should not be.

  1. Navigate to the settings page of the repository. If you do not have permissions, reach out to DevOps.
  2. Navigate to the Branches tab under Code and automation
  3. Add a branch protection rule for main and for staging, each with:
  • Select "Require a pull request before merging" and select the sub-item "Require approvals" with a value of 1
  • Select "Require status checks to pass before merging" and "Require branches to be up to date before merging". From the status checks box, select the name of the CI/testing job.
  • Everything else can be left alone
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment