Request: merge/rebase dependabot PRs in a queue

[will-molloy]

Currently dependabot rebases PRs individually. This is a problem when you have the 'require branches to be up to date' protection because it might have to update several times (and use lots of github action minutes).

Say I have 5 dependabot PRs, they all run the build, then one merges automatically, then the other 4 rebase and rerun the build again and so on. Worst case it runs the build 15 times.

Is it possible dependabot could realise there are other dependabot PRs and update/merge them in a kind of queue?

[jbergstroem]

Another way of solving this could be using grouped updates (#1190).

[chdsbd]

If you don't mind adding another bot I built an open source GitHub bot called Kodiak that efficiently updates and merges PRs. With default settings each PR would only be updated prior to merge to prevent wasting CI minutes.

With efficient updates you'd get 4 rebase updates instead of 10.

There's a lot of other merge bots to look at too: https://kodiakhq.com/docs/prior-art-and-alternatives

[JarvisCraft]

This may become possible with the recent addition of Merge Queues to GitHub ¹.

Footnotes

1. currently in limited public beta ↩

[melink14]

If you don't mind adding another bot I built an open source GitHub bot called Kodiak that efficiently updates and merges PRs. With default settings each PR would only be updated prior to merge to prevent wasting CI minutes.

Since by default Dependabot will automatically rebase out of date PRs, this would probably only work if you also updated Dependabot with rebase-strategy: "disabled"

[jeffwidman]

Another option to reduce CI runs is to use the recently announced Merge Queue feature:
https://github.blog/changelog/2023-02-08-pull-request-merge-queue-public-beta/

Note that this solves for PR rebases, but not Dependabot rebases... when Dependabot rebases, it's effectively re-calling the package manager to re-resolve the manifest / lockfile. For example, if you bump one dep that changes the indirect constraint on another package, that may affect the outcome of the resolving... a normal PR rebase won't pick that up so could result in breakage.

[melink14]

Yeah, in my case, I had mergify set to comment @dependabot rebase when there were conflicts to handle it.

It looks like the native implementation would work well for the easy flow. Replacing the dependabot rebase is harder though since iirc github action comments can't trigger dependabot commands...

[abdulapopoola]

Update: We've started doing some grouped updates work! This particular issue might not be part of the first ship but if you want to track our updates, do follow #1190.

[abdulapopoola]

Closing this out as we've officially released grouped version updates; please feel free to reopen or reach out if there are more questions or feedback.