Using GitHub Actions to update packages.lock.json for Dependabot PRs
I like using Dependabot to keep my package dependencies up to date. But it does have one problem if you’re using
packages.lock.json files with NuGet packages - it doesn’t update them. So your csproj will be modified but the packages.lock.json file won’t, which can lead to broken failing.
Here’s one approach to working around this. Hopefully GitHub will fix this properly in the future.
I’m going to make use of Peter Evans’ Slash Command Dispatch GitHub Action to enable triggering by entering
/lockfiles as a comment on the pull request. This action is extensible and can be used to create all kinds of ‘slash’ commands.
First up, I created a new workflow that uses this action:
name: Slash Command Dispatch on: issue_comment: types: [created] jobs: slashCommandDispatch: runs-on: ubuntu-latest steps: - uses: xt0rted/[email protected] id: comment-branch - name: Slash Command Dispatch uses: peter-evans/[email protected] id: slash-command with: token: $ commands: | lockfiles permission: write issue-type: pull-request dispatch-type: workflow static-args: ref=$
Things to note:
- We’re triggering on a new comment being added to a pull request
- We use Pull Request Comment Branch Action to obtain the name of the branch that is linked to the pull request for the triggering comment.
dispatch-typeis set to
workflowas we want the secondary workflow to run against the pull request branch (not the default branch)
- We set the
refargument to the branch name. This will be picked up by the second workflow.
The second workflow is named
lockfiles-command.yml. It needs to follow the convention of commandname-command.yml.
name: Update lockfiles on: workflow_dispatch: jobs: lockfiles: runs-on: ubuntu-latest steps: - uses: actions/[email protected] with: fetch-depth: 0 token: $ - name: Setup .NET 5 uses: actions/[email protected] with: dotnet-version: 5.0.x - name: Restore dependencies run: dotnet restore --force-evaluate - uses: stefanzweifel/[email protected] with: commit_message: Update lockfiles
Things to note:
- This workflow uses the workflow_dispatch trigger.
- The checkout action notices that the ref value was set in the first workflow and so will checkout the pull request branch.
- We use the git-auto-commit Action to commit and push any changes made by the earlier
To trigger the workflow, add a new comment to a pull request with
You can see a complete repo with example pull request over at https://github.com/flcdrg/dependabot-lockfiles/pull/1
It could be possible to have this workflow trigger automatically after Dependabot creates the pull request if you wanted to completely automate this approach, rather than needing to add the comment manually.