dependabot labeled PRs do not add to project

Question

dependabot labeled PRs do not add to project

gkwan-ibm opened this issue 5 months ago · comments

I created a action:

name: Add PRs to Dependabot PRs dashboard

on:
  pull_request:
    types:
      - labeled

jobs:
  add-to-project:
    name: Add PR to dashboard
    runs-on: ubuntu-latest
    steps:
      - uses: actions/add-to-project@v0.5.0
        with:
          project-url: https://github.com/orgs/...
          github-token: ${{ secrets.ADMIN_BACKLOG }}
          labeled: dependencies

This action works to add the PR to the project if I manually add the dependencies label.
But, the dependabot created PRs (the Bump PRs) do not automatically add to the project.

Gilbert Kwan · Answer 1 · Tue Mar 05 2024 23:59:09 GMT+0800 (China Standard Time)

Seems to be this reason.

Error: Input required and not supplied: github-token

Gilbert Kwan · Answer 2 · Wed Mar 06 2024 01:50:39 GMT+0800 (China Standard Time)

The dependabot creates branch and PR in the repo, not from a fork, why the above action does not work?

Sebastian Urchs · Answer 3 · Wed Mar 20 2024 05:48:29 GMT+0800 (China Standard Time)

from the docs: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

So if you want to respond to events that are triggered by bots you have two options:

use a personal access token so the event is triggered by you (not the bot)
look for the output of the bot action at a regular interval https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule

Gilbert Kwan · Answer 4 · Wed Mar 20 2024 06:03:07 GMT+0800 (China Standard Time)

The token I used is my personal token. Again, manually label PR works fine.

The question is "Why the dependabot labeled PRs (the Bump PRs) does not work?"

Sebastian Urchs · Answer 5 · Wed Mar 20 2024 06:16:29 GMT+0800 (China Standard Time)

The token I used is my personal token

ah, my bad

Why the dependabot labeled PRs (the Bump PRs) does not work?

you cannot have a bot apply a label and then have the https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=labeled#pull_request event trigger another workflow. So likely your issue is that the label is applied by dependabot. Our workaround is as I mentioned to have a cron job do this: https://github.com/neurobagel/planning/blob/3790a983b3c6aacf7eaabef05895b68cd200b99a/.github/workflows/global_move_bot_pr_to_board.yml

Gilbert Kwan · Answer 6 · Wed Mar 20 2024 21:00:29 GMT+0800 (China Standard Time)

How's about opened? I tried it and also not work. Same reason?

on:
  pull_request:
    types:
      - opened

Mike Bell · Answer 7 · Tue May 28 2024 17:23:24 GMT+0800 (China Standard Time)

@surchs did you find another solution to this? I had a look round some of the neurobagal repos and I can see your not using it anymore. Did it not work as expected? I'm currently trying find a solution to adding dependabot prs from around 20-30 repos to a project.

Sebastian Urchs · Answer 8 · Tue May 28 2024 23:43:48 GMT+0800 (China Standard Time)

Hey @mikebell, we now have a dedicated workflow to label pre-commit PRs and applies a label: https://github.com/neurobagel/workflows/blob/4a81101e34ba511d085ac9184172e6550ad3835b/template_workflows/project_automation/handle_external_pr.yml

here is the specific job that does it:

https://github.com/neurobagel/workflows/blob/4a81101e34ba511d085ac9184172e6550ad3835b/template_workflows/project_automation/handle_external_pr.yml#L22-L30

all it does is filter based on the PR title. Hope that helps