How would you describe the issue?

Hi,

I'm migrating from dependabot-preview to dependabot, see https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/. Github integrated depandabot is missing automerge feature, which was available in preview. Therefor I opted to use this github action to automerge dependabot PR's. Unfortunately it isn't working as expected.

How can we reproduce the issue?

• Configure new dependabot for repo. For example this is how I did https://github.com/z0rc/dotfiles/blob/master/.github/dependabot.yml.
• Enable merge-me for dependabot user. I did it like this https://github.com/z0rc/dotfiles/blob/master/.github/workflows/automerge.yml.
• Observe merge-me action, for example here https://github.com/z0rc/dotfiles/runs/760276753?check_suite_focus=true.

What are the expected results?

merge-me action would recognize configured GITHUB_LOGIN: dependabot and merge the PR.

What are the actual results?

merge-me action doesn't recognize dependabot "user" configured via GITHUB_LOGIN. Pull request not created by dependabot, skipping.

How much does it hurt?

Dependabot migration caught me off guard and I have to manually merge couple of PR's from it manually each day,

How would you describe the issue?
The preset DEPENDABOT_MINOR doesn't appear to work with the new GitHub-native Dependabot. (The old dependabot will be turned off in early August). The logs indicate Dependabot was not recognized.

How can we reproduce the issue?

1. Enable GitHub native dependabot
2. Setup a workflow to automerge:
   • https://github.com/amclin/advent-of-code/blob/master/.github/workflows/automerge.yml#L16
3. Update a Dependabot-created branch to trigger the workflow

What are the expected results?

Dependabot-created PR merges

What are the actual results?
Dependabot-created PR does not merge. Log indicates Dependabot was not detected by merge-me-action

Run ridedott/merge-me-action@v2
  with:
    GITHUB_TOKEN: ***
    PRESET: DEPENDABOT_MINOR
    GITHUB_LOGIN: dependabot
    MERGE_METHOD: SQUASH
    ENABLED_FOR_MANUAL_CHANGES: false
    MAXIMUM_RETRIES: 3
Automatic merges enabled for GitHub login: dependabot.
Found pull request information: {"authorLogin":"dependabot","commitMessage":"Merge branch 'master' into dependabot/npm_and_yarn/mocha-9.0.2","commitMessageHeadline":"Merge branch 'master' into dependabot/npm_and_yarn/mocha-9.0.2","mergeableState":"MERGEABLE","merged":false,"pullRequestId":"MDExOlB1bGxSZXF1ZXN0NjgzNjgyMzQ4","pullRequestNumber":179,"pullRequestState":"OPEN","pullRequestTitle":"chore(deps-dev): bump mocha from 9.0.1 to 9.0.2","repositoryName":"advent-of-code","repositoryOwner":"amclin","reviewEdges":[]}.
Pull request changes were not made by dependabot.

How much does it hurt?

A lot, especially come August when legacy Dependabot goes away without a reliable automerge solution.

How would you describe the issue?

Looks like after 172fa69 action starts failing with error if ENABLE_GITHUB_API_PREVIEW is disabled (it is disabled by default).

How can we reproduce the issue?

Here is our workflow file - https://github.com/networkservicemesh/sdk-kernel/blob/main/.github/workflows/automerge.yaml.

---
name: automerge
on:
  workflow_run:
    types:
      - completed
    workflows:
      - 'ci'
jobs:
  automerge:
    name: Automerge
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' && github.actor == 'nsmbot' }}
    steps:
      - name: Check out the code
        uses: actions/checkout@v2
      - name: Fetch main
        run: |
          git remote -v
          git fetch --depth=1 origin main
      - name: Only allow go.mod, go.sum, *.gen.go files
        run: |
          find . -type f ! -name 'go.mod' ! -name 'go.sum' -exec git diff --exit-code origin/main -- {} +
      - name: Merge PR
        uses: ridedott/merge-me-action@master
        with:
          GITHUB_LOGIN: nsmbot
          ENABLED_FOR_MANUAL_CHANGES: true
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          MAXIMUM_RETRIES: 25

What are the expected results?

Here is the last successful output before update:

Run ridedott/merge-me-action@master
  with:
    GITHUB_LOGIN: nsmbot
    ENABLED_FOR_MANUAL_CHANGES: true
    GITHUB_TOKEN: ***
    MAXIMUM_RETRIES: 25
    MERGE_METHOD: SQUASH
Automatic merges enabled for GitHub login: nsmbot.
Found pull request information: {"authorLogin":"nsmbot","commitMessage":"Update go.mod and go.sum to latest version from networkservicemesh/sdk@main networkservicemesh/sdk#\n\nnetworkservicemesh/sdk PR link: https://github.com/networkservicemesh/sdk/pull/\n\nnetworkservicemesh/sdk commit message:\ncommit b086a10c94fe8cf762fe7bde478e6ce0bafc6d61\nAuthor: Denis Tingaikin <[email protected]>\nDate:   Mon Jul 19 20:27:47 2021 +0700\n\n    qfix: DNSNSEResolve server should correctly translate NSE for floating side and for querying side (#1027)\n\n    * fix issue with interdomain nse labels\n\n    Signed-off-by: Denis Tingaikin <[email protected]>\n\n    * apply review comments\n\n    Signed-off-by: denis-tingajkin <[email protected]>\n\nSigned-off-by: NSMBot <[email protected]>","commitMessageHeadline":"Update go.mod and go.sum to latest version from networkservicemesh/sd…","mergeableState":"MERGEABLE","merged":false,"pullRequestId":"MDExOlB1bGxSZXF1ZXN0NjkyNjA5MDAz","pullRequestNumber":296,"pullRequestState":"OPEN","pullRequestTitle":"Update from update/networkservicemesh/sdk","repositoryName":"sdk-kernel","repositoryOwner":"networkservicemesh","reviewEdges":[]}.

What are the actual results?

Here is the current output:

Run ridedott/merge-me-action@master
  with:
    GITHUB_LOGIN: nsmbot
    ENABLED_FOR_MANUAL_CHANGES: true
    GITHUB_TOKEN: ***
    MAXIMUM_RETRIES: 25
    ENABLE_GITHUB_API_PREVIEW: false
    MERGE_METHOD: SQUASH
Automatic merges enabled for GitHub login: nsmbot.
Error: An unexpected error occurred: Cannot read property 'endCursor' of undefined, TypeError: Cannot read property 'endCursor' of undefined
    at makeGraphqlIterator (/home/runner/work/_actions/ridedott/merge-me-action/master/webpack:/@ridedott/merge-me-action/src/common/makeGraphqlIterator.ts:50:1)
    at process.node (internal/process/task_queues.js:93:5)
    at branchProtectionRules (/home/runner/work/_actions/ridedott/merge-me-action/master/webpack:/@ridedott/merge-me-action/src/common/listBranchProtectionRules.ts:50:1)
    at continuousIntegrationEndHandle (/home/runner/work/_actions/ridedott/merge-me-action/master/webpack:/@ridedott/merge-me-action/src/eventHandlers/continuousIntegrationEnd/index.ts:80:1).

How much does it hurt?

We can temporary switch to using previous version, but we rather want to use your latest version.
Currently this totally breaks our CI, please help us :)

What do you want to achieve?
Make it work

What is the current way of working?

eksperimental-debug/merge_test#4

How much does it hurt?

I have not been able to make it work once. Am I missing something?

What do you want to achieve?

It should be possible to lunch the action on a workflow_runaction, with workflow like this:

name: Auto merge Dependabot updates

on:
  workflow_run:
    workflows:
      - Workflow 1
      - Workflow 2
    types:
      - completed

jobs:
  auto-merge:
    name: Auto merge
    runs-on: ubuntu-latest
    steps:
      - name: Auto merge
        uses: ridedott/dependabot-auto-merge-action@master
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

In this case, we get an event like this (from github context) (largely simplified):

{
  "event_name": "workflow_run",
  "event": {
    "action": "completed",
    "workflow_run": {
      "conclusion": "success",
      "pull_requests": [
        {
          "number": <number>,
          "url": "https://api.github.com/repos/<org>/<repo>/pulls/<number>"
        }
      ]
    }
  }
}

What is the current way of working?

Actually, the merge is done by Dependabot v1

How much does it hurt?

I can't migrate to Dependabot v2, and the solution of putting merge-me-action at the ends of my main workflow doesn't work well because in some cases I should wait on more than one workflow.

What do you want to achieve?

I got a bot to do my release and do auto-backporting.
It would be nice to be able to specify another kind of bot, that we allow the PR to be automerged.

What is the current way of working?

I just do it manually

How much does it hurt?

Not much, I just like automatised what is possible :)

Hey there,

first of all: thanks for this action. This safes me a whole bunch of manually merging PRs from dependabot.

What do you want to achieve?

I actually have this action as part of my repository. It does update deps on a weekly base and this action always have a huge amount of releases in between.

There were 3 releases on thursday last week within 4 Minutes:
https://github.com/ridedott/merge-me-action/releases/tag/v2.8.41
https://github.com/ridedott/merge-me-action/releases/tag/v2.8.42
https://github.com/ridedott/merge-me-action/releases/tag/v2.8.43

So whenever whatever chore dependency is merged to this repository, a new release is being tagged. I don't think that this is really necessary and creates a whole bunch of versions which almost no one will ever use (due to the constraints used in upstream projects).

The worst thing what might happen is, that some of your dependencies starts using the same logic as this component uses: Whenever a dependency has changes, bump that dependency via dependabot and create a release.

This will end-up in an infinite loop and depending on the frequency dependabot will create PRs to bump dependencies, this wont end-up well 😅

What is the current way of working?

Every dependabot PR which is being merged will end-up being a dedicated release. 🤷🏼‍♂️

How much does it hurt?

Not that much. Just realized this in my package and having that large amount of releases might not be necessary.

What do you want to achieve?

Hey there 👋 I'm trying to have the action go through only when other status checks are complete. These are split into separate workflows, so what ends up happening is that the action passes and the PR is merged before other workflows are finished.

This seems to be happening because only requiresStrictStatusChecks is being checked, which looks like it only covers the Require branches to be up to date before merging option:

We don't have this option turned on in our repo, so this returns false even though mergeStateStatus is BLOCKED for the branch and the merge goes through. Is what I'm looking for possible if requiresStatusChecks is also checked?

Alternatively, is it possible to expose an option to use the enablePullRequestAutoMerge mutation rather than mergePullRequest?

I'm happy to help contribute to this change 👍

What is the current way of working?

We don't have a workaround right now, other than having the DEPENDABOT_MINOR preset in place, but breaking changes still manage to sneak in because our other status checks are being ignored.

How much does it hurt?

It's painful! 🙃

I think this project gives something like GitLab's "Merge when CI completes" checkbox functionality in GitHub, but it's not clear from the README, which just dives into how to configure the action for 3 different scenarios. It should have an opening sentence, something like:

This action will automatically merge PRs when all the other actions have passed and there are no merge conflicts. It provides similar functionality to GitLab's "Merge when CI completes" checkbox.

If the above is what this action does, I'd really like to use it on my projects. 😃

What do you want to achieve?

Squash merge is disabled in the repo i want to use this in. At the moment i get an error saying squash merge isn't enabled:

GraphqlError: Squash merges are not allowed on this repository.
    at evalmachine.<anonymous>:1:301669
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at Object.t.pullRequestHandle (evalmachine.<anonymous>:1:112743)

What is the current way of working?

Have to manually merge at the end.

How much does it hurt?

Sadly, currently can't use this action, without an enhancement, unless there's a configuration option I can't find.

How would you describe the issue?

Upon merging while authenticated as a GitHub Application (bot), the Action prints the following error, but merges successfully anyway:

An error occurred while merging the Pull Request. This is usually caused by the base branch being out of sync with the target branch. In this case, the base branch must be rebased. Some tools, such as Dependabot, do that automatically.

The step doesn't fail despite the error, it simply returns successfully and the PR gets merged.

Example from a recent workflow run: https://github.com/deviantony/docker-elk/actions/runs/3555997794/jobs/5973029853#step:3:12

The Application has the following permissions assigned:

• Administration (Read-only)
• Pull request (Read-only)
• Contents (Read and write)
• Metadata (Read-only)

How can we reproduce the issue?

on:
  workflow_run:
    workflows: [ CI ]
    types:
      - completed

# ...

jobs:

  merge:
    if: github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest

    steps:
      - name: Approve and merge
        uses: ridedott/merge-me-action@v2
        with:
          GITHUB_LOGIN: my-app-name
          GITHUB_TOKEN: my-app-token

What are the expected results?

Print a more detailed error: what failed and why.

Alternatively, don't print an error if the PR was merged successfully.

How much does it hurt?

1/10

How would you describe the issue?

I've got a pipeline that is failing and branch protection rules that don't allow merging unless pipeline passes. Yet, github api returns "mergeable": "MERGEABLE" which causes this action to attempt merging regardless of pipeline status. This seems to cause issues if the github token has privileges that allow it to merge with failing pipelines.

How can we reproduce the issue?

1. Make CI fail
2. Check mergeable flag in github api
3. Run this action

What are the expected results?

It shouldn't merge PRs with failed pipeline.

What are the actual results?

It merges the PR.

How much does it hurt?

As far as I understand if I want to allow repository administrators to still be able to merge failing PRs I have to create a separate account without administrator access just for running this action, otherwise it would merge everything regardless of pipeline status. If that's intended it would be good to add this into readme, so it doesn't cause issues

Real life example:
Dependabot opened this PR mavend/octoboard#296 which caused tests to fail, yet merge-me still merged it here https://github.com/mavend/octoboard/runs/2307308047?check_suite_focus=true because mergeableState was set to MERGEABLE. I had branch protection rules configured like this:

I guess the reason for this is that it was running with administration privileges, and administrators were allowed to merge with pipelines failures?

More investigation:
Here's a test PR I made that causes CI to fail mavend/octoboard#298. Requesting it's data from github api returns the following

{
  "data": {
    "repository": {
      "pullRequest": {
        "id": "MDExOlB1bGxSZXF1ZXN0NjEyNTgzMTM1",
        "merged": false,
        "mergeable": "MERGEABLE",
        "state": "OPEN",
        "title": "Test GH actions"
      }
    }
  }
}

though it's clearly not mergable

According to github docs this flag only checks for merge conflicts and doesn't account for pipeline status.

There seem to be a way of getting actual pipeline results from statusCheckRollup in commit data:

commits(last: 1) {
  edges {
    node {
      commit {
        message
          statusCheckRollup {
            state

which returns

"commits": {
  "edges": [
    {
      "node": {
        "commit": {
          "message": "Test",
          "statusCheckRollup": {
            "state": "FAILURE"
          }
        }
      }
    }
  ]
}

What do you want to achieve?

It would be great to be able to use multiple GitHub logins instead of just one (e.g., only dependabot[bot]). This would allow for greater automation possibilities.

For instance, in my case, I'm creating a CD pipeline. Twice per week, a GitHub action starts a PR from main into production. Then another action (the one that using this "merge-me" action) will merge the PR after all tests pass. For this, I can just whitelist 'github-actions[bot]' instead of the default dependabot. However, sometimes it's good manually push things to production (e.g., there's a nasty bug in production that needs to be fixed ASAP). To streamline things, a user (me) should just need to start a PR from main to production, then the actions do the rest of the work. But since I'm not a github-actions[bot], the PR will not be automatically merged.

- name: Merge me!
        uses: ridedott/[email protected]
        with:
          GITHUB_LOGIN:
            - 'github-actions[bot]'
            - 'dependabot[bot]'
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

or perhaps set a wildcard:

- name: Merge me!
        uses: ridedott/[email protected]
        with:
          GITHUB_LOGIN: '*'
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

What is the current way of working?

You can list the merge-me action multiple times, each with a different GITHUB_LOGIN specified. However, this means that all actions will run longer (merge-me always run multiple times), it's not DRY, and it doesn't scale.

How much does it hurt?

7/10

How would you describe the issue?

I'm using github's built-in dependabot and added merge-me according to documentation. The action doesn't seem to properly recognise dependabot as commits author out of the box.

How can we reproduce the issue?

1. Create new job using default settings

jobs:
  merge-me:
    name: Merge me!
    runs-on: ubuntu-latest
    steps:
      - name: Merge me!
        uses: ridedott/[email protected]
        with:
          GITHUB_TOKEN: ${{ secrets.AUTO_MERGE_TOKEN }}

What are the expected results?

dependabot PRs get merged

What are the actual results?

Job fails with the following output:

Automatic merges enabled for GitHub login: dependabot.
Found pull request information: {"authorLogin":"dependabot","commitAuthorName":"dependabot[bot]","commitMessage":"Bump @sentry/node from 6.2.4 to 6.2.5\n\nBumps [@sentry/node](https://github.com/getsentry/sentry-javascript) from 6.2.4 to 6.2.5.\n- [Release notes](https://github.com/getsentry/sentry-javascript/releases)\n- [Changelog](https://github.com/getsentry/sentry-javascript/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/getsentry/sentry-javascript/compare/6.2.4...6.2.5)\n\nSigned-off-by: dependabot[bot] <[email protected]>","commitMessageHeadline":"Bump @sentry/node from 6.2.4 to 6.2.5","mergeableState":"MERGEABLE","merged":false,"pullRequestId":"MDExOlB1bGxSZXF1ZXN0NjExMjQ4NzIz","pullRequestState":"OPEN","pullRequestTitle":"Bump @sentry/node from 6.2.4 to 6.2.5","reviewEdges":[]}.
Pull request changes were not made by dependabot.

How much does it hurt?

Just setting GITHUB_LOGIN to dependabot[bot] (which is commitAuthorName) prevents the job from running since PR author doesn't match anymore:

Automatic merges enabled for GitHub login: dependabot[bot].
Pull request created by dependabot, not dependabot[bot], skipping.

However, it's possible to workaround this with micromatch:

GITHUB_LOGIN: '(dependabot|dependabot\[bot\])'

Here's an example workflow that failed https://github.com/mavend/octoboard/runs/2307117681?check_suite_focus=true and it's job definition https://github.com/mavend/octoboard/actions/runs/733497847/workflow

And a workflow with workaround that merged the PR https://github.com/mavend/octoboard/runs/2307312762?check_suite_focus=true and it's job definition https://github.com/mavend/octoboard/actions/runs/733570773/workflow

Description

Currently master version of merge-me-action can not handle push, pull_request events.

Example:

Warning: Unknown event pull_request, skipping.

It has been disabled here: aa86df2

Question: Could you clarify why it is not supported more?

How would you describe the issue?
https://github.com/ClearcodeHQ/jira_timemachine/actions/runs/3327307904/jobs/5501967216
I'm getting this weird bug across all repositories I have. It happens after I merge the dependabot's pull requests (major version change so I have to do it manually) to main branch.

How can we reproduce the issue?

Not sure, merge something dependabot updates to major version to master?

What are the expected results?

One out of three:

• Not be triggered by main branch (unless theres' a setting I missed)
• Produce meaningful error message instead of traceback.
• Not fail 🤔

What are the actual results?

https://github.com/ClearcodeHQ/jira_timemachine/actions/runs/3327307904/jobs/5501967216

How much does it hurt?

Not sure yet, worst case scenario, if it fails on all prs, then that means I'll have to merge event the patch dependabot updates across many of my repositories, if it's main branch only, that means a lot of spam emails.
It fails also on regular patch updates so that means that the action does not work currently at all.
https://github.com/ClearcodeHQ/pytest-dynamodb/actions/runs/3326150718

How would you describe the issue?

First, im not sure if this is a real bug here or something wrong with the config or gh workflow fail, maybe you can help me?

I recently added the workflow for auto-merges here: https://github.com/maglnet/ComposerRequireChecker/blob/3.6.x/.github/workflows/merge-dependabot-upgrades.yml
I wanted that these workflows listed there should all be successfully run and then the PR from dependatbot should be auto-merged.

Here one PR that was merged to fast: maglnet/ComposerRequireChecker#323

What are the expected results?

I would expect that all jobs need to be successful for the auto-merge.

What are the actual results?

The merge happens before all job were green.

How much does it hurt?

The solution would be to put all workflow files into one "Continues Integration" which is really not nice for maintainance. For example here: https://github.com/Roave/BetterReflection/tree/5.0.x/.github/workflows

How would you describe the issue?

Attempting to perform an auto-merge, the step fails unexpectedly

How can we reproduce the issue?

Add this to the end of a build and packaging YAML file:

  auto-merge:
    needs:
      - package
    runs-on: ubuntu-latest
    steps:
      - uses: ridedott/merge-me-action@v2
        with:
          preset: DEPENDABOT_PATCH
          github_token: ${{ secrets.PULL_NPM }}

What are the expected results?

Error is produced (log below)

What are the actual results?

Merge should complete successfully

How much does it hurt?

Quite a lot, mostly because the feedback loop is pretty massive.

Here is the log output:

2021-07-08T15:17:50.8254989Z Found online and idle hosted runner(s) in the current repository's organization account that matches the required labels: 'ubuntu-latest'
2021-07-08T15:17:50.8255037Z Waiting for a hosted runner in 'organization' to pick this job...
2021-07-08T15:18:13.2215311Z Current runner version: '2.278.0'
2021-07-08T15:18:13.2244633Z ##[group]Operating System
2021-07-08T15:18:13.2245758Z Ubuntu
2021-07-08T15:18:13.2246135Z 20.04.2
2021-07-08T15:18:13.2246530Z LTS
2021-07-08T15:18:13.2246918Z ##[endgroup]
2021-07-08T15:18:13.2247432Z ##[group]Virtual Environment
2021-07-08T15:18:13.2248039Z Environment: ubuntu-20.04
2021-07-08T15:18:13.2248498Z Version: 20210628.1
2021-07-08T15:18:13.2249376Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20210628.1/images/linux/Ubuntu2004-README.md
2021-07-08T15:18:13.2250744Z Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20210628.1
2021-07-08T15:18:13.2251466Z ##[endgroup]
2021-07-08T15:18:13.2253185Z ##[group]GITHUB_TOKEN Permissions
2021-07-08T15:18:13.2254319Z Actions: write
2021-07-08T15:18:13.2254743Z Checks: write
2021-07-08T15:18:13.2255206Z Contents: write
2021-07-08T15:18:13.2255825Z Deployments: write
2021-07-08T15:18:13.2256375Z Discussions: write
2021-07-08T15:18:13.2256852Z Issues: write
2021-07-08T15:18:13.2257260Z Metadata: read
2021-07-08T15:18:13.2257699Z Packages: write
2021-07-08T15:18:13.2258194Z PullRequests: write
2021-07-08T15:18:13.2258687Z RepositoryProjects: write
2021-07-08T15:18:13.2259243Z SecurityEvents: write
2021-07-08T15:18:13.2259983Z Statuses: write
2021-07-08T15:18:13.2260571Z ##[endgroup]
2021-07-08T15:18:13.2263328Z Prepare workflow directory
2021-07-08T15:18:13.3041838Z Prepare all required actions
2021-07-08T15:18:13.3055004Z Getting action download info
2021-07-08T15:18:15.0688257Z Download action repository 'ridedott/merge-me-action@v2'
2021-07-08T15:18:15.8060213Z ##[group]Run ridedott/merge-me-action@v2
2021-07-08T15:18:15.8061241Z with:
2021-07-08T15:18:15.8061752Z   preset: DEPENDABOT_PATCH
2021-07-08T15:18:15.8063265Z   github_token: ***
2021-07-08T15:18:15.8063799Z   GITHUB_LOGIN: dependabot
2021-07-08T15:18:15.8064241Z   MERGE_METHOD: SQUASH
2021-07-08T15:18:15.8064750Z   ENABLED_FOR_MANUAL_CHANGES: false
2021-07-08T15:18:15.8065278Z   MAXIMUM_RETRIES: 3
2021-07-08T15:18:15.8065689Z env:
2021-07-08T15:18:15.8066252Z   webapp_path: BennettJones.EthicalWalls
2021-07-08T15:18:15.8066786Z ##[endgroup]
2021-07-08T15:18:16.4184499Z Automatic merges enabled for GitHub login: dependabot.
2021-07-08T15:18:16.4230498Z ##[error]An unexpected error occurred: Cannot read property 'pullRequest' of null, TypeError: Cannot read property 'pullRequest' of null
    at getPullRequestInformationByPullRequestNumber (/home/runner/work/_actions/ridedott/merge-me-action/v2/webpack:/@ridedott/merge-me-action/src/common/getPullRequestInformation.ts:68:1)
    at process.pullRequestInformation (internal/process/task_queues.js:93:5)
    at pullRequestInformation (/home/runner/work/_actions/ridedott/merge-me-action/v2/webpack:/@ridedott/merge-me-action/src/common/getPullRequestInformation.ts:125:1)
    at pullRequestHandle (/home/runner/work/_actions/ridedott/merge-me-action/v2/webpack:/@ridedott/merge-me-action/src/eventHandlers/pullRequest/index.ts:21:1).
2021-07-08T15:18:16.4279670Z Cleaning up orphan processes

How would you describe the issue?

From this weekend I have this error:

Automatic merges enabled for GitHub login: dependabot-preview[bot].
Found pull request information: {"reviewEdges":[{"node":{"state":"APPROVED"}}]}.
An error ocurred while merging the Pull Request. This is usually caused by the base branch being out of sync with the target branch. In this case, the base branch must be rebased. Some tools, such as Dependabot, do that automatically.
##[error]An unexpected error occurred: Required status check "Continuous integration" is in progress., GraphqlError: Required status check "Continuous integration" is in progress.
    at key (/home/runner/work/_actions/ridedott/dependabot-auto-merge-action/master/node_modules/@octokit/graphql/dist-node/index.js:42:1)
    at processTicksAndRejections (internal/process/task_queues.js:93:5)
    at approveAndMergePullRequestMutation (/home/runner/work/_actions/ridedott/dependabot-auto-merge-action/master/src/common/merge.ts:40:9)
    at Object.mergeWithRetry (/home/runner/work/_actions/ridedott/dependabot-auto-merge-action/master/src/common/merge.ts:49:14)
    at Object.logInfo (/home/runner/work/_actions/ridedott/dependabot-auto-merge-action/master/src/eventHandlers/pullRequest/index.ts:86:5).

How can we reproduce the issue?

Run this workflow:
https://github.com/mapfish/mapfish-print/blob/master/.github/workflows/dependabot-auto-merge.yaml

In // of a required and running workflow

What are the expected results?

Validate the pull request

What are the actual results?

Error in the workflow, e.-g.:

https://github.com/mapfish/mapfish-print/pull/1453/checks?check_run_id=1020852174

How much does it hurt?

It makes this action unusable for us...

What do you want to achieve?

Most likely, this is already possible, and I just don't get it from the docs. What I'd like to do is back-merge master into dev automatically. Both master and dev are protected (dev requires a review and CI passing). Currently, when I merge a release into master, a new PR is automatically created (using a Github Action) to pull master back to dev. I'd like this to be auto-merged, with the only required criteria being that it's up-to-date (i.e. I don't want to have to review it, or for it to pass CI tests, since that's redundant). However, I don't want the Merge-Me action to automatically merge other PRs to dev!

Is there a way of constraining Merge-Me to operate only on PRs that have a certain label, for example? (Currently these PRs are labeled with auto-pr).

What is the current way of working?

Currently, I just do it manually -- I have to go to Github and click merge.

How much does it hurt?

It's fairly annoying, especially as I'm sure someone must have fixed this problem before!

What do you want to achieve?

GitHub is encouraging people to move to Github-native dependabot. As you know they removed auto-merge function.

With dependabot preview we are using NPM semantic versioning so that it only auto-merges minors and patches version, leaving major versions alone. It leaves us the opportunity to review (and learn) about major changes in the library (even if they don't break the tests) while making it as low maintenance as possible for other upgrades. We can arrive in the morning and all the safe/easy upgrades are done.

This is our current setting in dependabot-preview:

I think it is not possible to do this right now with merge-me-action (and maybe it is just too hard to implement).

What is the current way of working?

Using the tandem Github-native dependabot we are either forced to auto-merge everything with merge-me-action or manually merge all upgrades PR.

How much does it hurt?
It is unsustainable for us, so, for now, we plan to stay as long as possible on dependabot-preview.

How would you describe the issue?
I'm trying to use this workflow in a project of mine. The project has a protected master branch, and I'm seeing the following error in the run log. The run url is here. Additionally, the run is marked as successful even though the operation failed.

Run ridedott/dependabot-auto-merge-action@master
pullRequestHandle: PullRequestId: MDExOlB1bGxSZXF1ZXN0MzQ0NjY5OTc1, commitHeadline: build(deps): bump gatsby-plugin-typescript from 2.1.18 to 2.1.19.
##[warning]GraphqlError: You're not authorized to push to this branch. Visit https://help.github.com/articles/about-protected-branches/ for more information.
##[warning]{"data":{"mergePullRequest":null},"errors":[{"type":"UNPROCESSABLE","path":["mergePullRequest"],"locations":[{"line":3,"column":5}],"message":"You're not authorized to push to this branch. Visit https://help.github.com/articles/about-protected-branches/ for more information."}],"name":"GraphqlError","request":{"query":"\n  mutation ($commitHeadline: String!, $pullRequestId: ID!) {\n    mergePullRequest(input: {commitBody: \"\", commitHeadline: $commitHeadline, mergeMethod: SQUASH, pullRequestId: $pullRequestId}) {\n      clientMutationId\n    }\n  }\n","variables":{"commitHeadline":"build(deps): bump gatsby-plugin-typescript from 2.1.18 to 2.1.19","pullRequestId":"MDExOlB1bGxSZXF1ZXN0MzQ0NjY5OTc1"}}}

We use this action to auto merge our dependabot PRs that is configured to create PRs against our non-default branch develop.

Our dependabot.yml is this:

version: 2
registries:
  composer-repository-nova-laravel-com:
    type: composer-repository
    url: https://nova.laravel.com
    username: "${{secrets.NOVA_USERNAME}}"
    password: "${{secrets.NOVA_PASSWORD}}"

updates:
- package-ecosystem: composer
  directory: "/"
  schedule:
    interval: weekly
  open-pull-requests-limit: 20
  target-branch: develop
  versioning-strategy: increase
  registries:
  - composer-repository-nova-laravel-com

However, when dependabot runs for JavaScript security updates it makes them against our default branch e.g. master which we don't want but can accept if our merge me workflow didn't auto merge them.

I know adding JavaScript to the depandbot.yml may fix it but we don't want to be getting any dependabot updates for javascript at this time.

How would you describe the issue?

Merge-me action sometimes fails with ##[error]GraphqlError: Base branch was modified. Review and try the merge again. Example https://github.com/z0rc/dotfiles/pull/1451/checks?check_run_id=797772548. Re-running affected job works fine, the error doesn't reproduce.

How can we reproduce the issue?

This one is tricky. I'm using this for single repo, where dependabot updates submodules and PR's can be merged only via rebase. As Dependabot creates multiple PR's almost simultaneously, same number of simultaneous github-actions being executed. I think there is run condition, where one action action updates the master branch, and another actions fails on merge, until github "unlocks" PR for being able to merge again. See https://github.community/t/merging-via-rest-api-returns-405-base-branch-was-modified-review-and-try-the-merge-again/13787

What are the expected results?

Merge-me action would succeed. Maybe retry on failure.

What are the actual results?

Merge-me action fails with ##[error]GraphqlError: Base branch was modified. Review and try the merge again..

How much does it hurt?

One or two PR's from daily dependabot update batch (5-10 PR's) fail on merge-me action.

How would you describe the issue?

Auto merge me from a workflow_run reports success with a generic error message.

How can we reproduce the issue?
On a public repository, use this exact setup:

Follow this guide: https://stefanzweifel.io/posts/2021/04/28/auto-merge-dependabot-pull-requests

Comment the pull request with @dependabot rebase to trigger the workflow where github..actor = dependabot[bot]

What are the expected results?
The pull request was merged

What are the actual results?
The action reports success ✅ , the pull-request was not merged, but this message is logged to the action console:

An error occurred while merging the Pull Request. This is usually caused by the base branch being out of sync with the target branch. In this case, the base branch must be rebased. Some tools, such as Dependabot, do that automatically.

How much does it hurt?
The action does not seem to work.

What do you want to achieve?
Add some logic to prevent the action to approve a PR multiple times as seen here https://github.com/ridedott/test-workflows/pull/4

What is the current way of working?
Currently there is no logic to prevent this behaviour in the action

How much does it hurt?
A lot of unnecessary approvals makes the PR messy

What do you want to achieve?
Some repos like functions relies on status as well as on check_suite events.

What is the current way of working?
Currently there is no handler for status changes

How much does it hurt?
This action will not be accommodating to the needs of repos like functions

How would you describe the issue?

We are using this action to auto-merge dependabot PRs, and this has been consistently working well for us (thanks!). This morning, I had some dependabot PRs that passed all checks but weren't being auto-merge. Our github action that auto-merges was failing with this error:

Run ridedott/merge-me-action@v2
  with:
    GITHUB_TOKEN: ***
    GITHUB_LOGIN: dependabot
    ENABLE_GITHUB_API_PREVIEW: false
    MERGE_METHOD: SQUASH
    ENABLED_FOR_MANUAL_CHANGES: false
    MAXIMUM_RETRIES: 3
Automatic merges enabled for GitHub login: dependabot.
Error: An unexpected error occurred: Cannot read property 'endCursor' of undefined, TypeError: Cannot read property 'endCursor' of undefined
    at makeGraphqlIterator (/home/runner/work/_actions/ridedott/merge-me-action/v2/webpack:/@ridedott/merge-me-action/src/common/makeGraphqlIterator.ts:50:1)
    at process.node (internal/process/task_queues.js:93:5)
    at branchProtectionRules (/home/runner/work/_actions/ridedott/merge-me-action/v2/webpack:/@ridedott/merge-me-action/src/common/listBranchProtectionRules.ts:50:1)
    at continuousIntegrationEndHandle (/home/runner/work/_actions/ridedott/merge-me-action/v2/webpack:/@ridedott/merge-me-action/src/eventHandlers/continuousIntegrationEnd/index.ts:80:1).

I'm guessing the latest release of this action broke something.

How can we reproduce the issue?

It looks like it is happening on all of our repos that use this action, so it should be easy to repeat. Here is the bit of our yml file that uses the action:

merge-me:
    name: Merge me!
    runs-on: ubuntu-latest
    steps:
      - name: Merge me!
        if: ${{ github.event.workflow_run.conclusion == 'success' }}
        uses: ridedott/merge-me-action@v2
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

What are the expected results?

There shouldn't be an error while using the action.

What are the actual results?

The error is preventing the action from working correctly.

How much does it hurt?

This appears to be breaking the action.

How would you describe the issue?

From this commit: 40e52df
I get the following error (full log):

Run ridedott/dependabot-auto-merge-action@master
  with:
    GITHUB_TOKEN: ***
    GITHUB_LOGIN: dependabot
    ENABLE_GITHUB_API_PREVIEW: false
    MERGE_METHOD: SQUASH
    ENABLED_FOR_MANUAL_CHANGES: false
    MAXIMUM_RETRIES: 3
/home/runner/work/_actions/ridedott/dependabot-auto-merge-action/master/dist/index.js.cache.js:25
 */const s=r(5680);const toRegexRange=(e,t,r)=>{if(s(e)===false){throw new TypeError("toRegexRange: expected the first argument to be a number")}if(t===void 0||e===t){return String(e)}if(s(t)===false){throw new TypeError("toRegexRange: expected the second argument to be a number.")}let o={relaxZeros:true,...r};if(typeof o.strictZeros==="boolean"){o.relaxZeros=o.strictZeros===false}let n=String(o.relaxZeros);let i=String(o.shorthand);let a=String(o.capture);let u=String(o.wrap);let c=e+":"+t+"="+n+i+a+u;if(toRegexRange.cache.hasOwnProperty(c)){return toRegexRange.cache[c].result}let l=Math.min(e,t);let p=Math.max(e,t);if(Math.abs(l-p)===1){let r=e+"|"+t;if(o.capture){return`(${r})`}if(o.wrap===false){return r}return`(?:${r})`}let d=hasPadding(e)||hasPadding(t);let m={min:e,max:t,a:l,b:p};let g=[];let h=[];if(d){m.isPadded=d;m.maxLen=String(m.max).length}if(l<0){let e=p<0?Math.abs(p):1;h=splitToPatterns(e,Math.ab

SyntaxError: Unexpected token '?'
    at new Script (vm.js:84:7)
    at Object.<anonymous> (/home/runner/work/_actions/ridedott/dependabot-auto-merge-action/master/dist/index.js:6:16)
    at Module._compile (internal/modules/cjs/loader.js:959:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:995:10)
    at Module.load (internal/modules/cjs/loader.js:815:32)
    at Function.Module._load (internal/modules/cjs/loader.js:727:14)
    at Function.Module.runMain (internal/modules/cjs/loader.js:1047:10)
    at internal/main/run_main_module.js:17:11

How can we reproduce the issue?

On action run with the following workflow:

---
name: Auto merge Dependabot updates

on:
  workflow_run:
    workflows:
      - Continuous integration
    types:
      - completed

jobs:
  auto-merge:
    name: Auto merge Dependabot updates
    runs-on: ubuntu-18.04
    timeout-minutes: 5
    steps:
      - name: Auto merge
        uses: ridedott/dependabot-auto-merge-action@master
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

What are the expected results?

No error

What are the actual results?

The CI fail every time (if she has something to merge to review or nothing to do)...

How much does it hurt?

The action becomes unusable

The action runs on checksuite-success. It retries three times and fails on each.
Doing a dependabot recreate triggers automerge correctly, and the rebasing of other open dependabot prs closes other PRs successfully too.

It fails on with the following error message:

Run ridedott/dependabot-auto-merge-action@master
Found pull request information: {"reviewEdges":[{"node":{"state":"APPROVED"}}]}.
##[error]An unexpected error occurred: (e || "").replace is not a function, TypeError: (e || "").replace is not a function
    at escapeData (evalmachine.<anonymous>:1:65447)
    at Command.toString (evalmachine.<anonymous>:1:65373)
    at issueCommand (evalmachine.<anonymous>:1:64866)
    at Object.issue (evalmachine.<anonymous>:1:64935)
    at Object.error (evalmachine.<anonymous>:1:91320)
    at Object.t.pullRequestHandle (evalmachine.<anonymous>:1:117513)
    at processTicksAndRejections (internal/process/task_queues.js:93:5).
##[error]Node run failed with exit code 1

What are the expected results?

It should work on initial try.

What are the actual results?

PRs are not properly merged on the initial try, but the Checksuite is all green. It retries 3 times and then fails.
Rebasing or recreating the PR with dependabot recreate in chat resolves the issue as shown in the pr example below.

How much does it hurt?

Telling Dependabot to recreate takes as long as merging with admin privileges. Therefore the action does not smooth anything when this bug occurs.

Further Links:

An example failing Action and the corresponding failing example PR.

The Action YML Is the default.

How would you describe the issue?

From little time ago I get the following error:

Automatic merges enabled for GitHub login: dependabot-preview[bot].
Found pull request information: {"reviewEdges":[]}.
##[warning]MERGE_METHOD value input is ignored because its malformed, defaulting to SQUASH.
##[error]GraphqlError: 2 of 2 required status checks have not succeeded: 1 expected.

I suspect this dependency update:
d9046ac

How can we reproduce the issue?

Used workflow:
https://github.com/camptocamp/ngeo/blob/master/.github/workflows/dependabot-auto-merge.yaml

What are the expected results?

Validate the PR

What are the actual results?

Error in workflow

How much does it hurt?

The action doesn't work anymore...

How would you describe the issue?

We have a bot that updates dependencies once a week and it creates PRs in quick succession.
Once the first PR is merged automatically, other PRs see mergeableState: UNKNOWN for a short while.
Sometimes you can even observe that in the GitHub UI (the merge button is greyed out).
We tried increasing the MAXIMUM_RETRIES, but it looks like the action is not retrying in this case.

How can we reproduce the issue?

I'm not sure if it can be reproduced manually without a bot.
But basically create multiple PRs in quick succession.
Here is an example run: https://github.com/moia-dev/scynamo/runs/1548816898#step:2:7

What are the expected results?

Retry on mergeableState: UNKNOWN according to the MAXIMUM_RETRIES setting.

What are the actual results?

AFAICT there were no retries in that run.

How much does it hurt?

Unfortunately this problem breaks our use case.

What do you want to achieve?
Find a way to prevent that test files are included in the dist output generated by ncc

What is the current way of working?
ncc reads the tsconfig.json file and it includes the tests.

How much does it hurt?
Test files should not be added to build!

How would you describe the issue?

An error occurs when auto-merge is attempted since v2.9.31 (and the corresponding bump of the v2 tag).

How can we reproduce the issue?

Push a new commit that leads to an action execution with an auto-merge step.

What are the expected results?

Auto-merge being executed.

What are the actual results?

The following error is observed:

Run ridedott/merge-me-action@v2
  with:
    GITHUB_LOGIN: <redacted>
    MERGE_METHOD: SQUASH
    GITHUB_TOKEN: ***
    ENABLE_GITHUB_API_PREVIEW: false
    ENABLED_FOR_MANUAL_CHANGES: false
    MAXIMUM_RETRIES: 3
  env:
    ACR_RELEASE: <redacted>.azurecr.io
/home/runner/work/_actions/ridedott/merge-me-action/v2/dist/index.js.cache.js:25
 */const s=r(5680);const toRegexRange=(e,t,r)=>{if(s(e)===false){throw new TypeError("toRegexRange: expected the first argument to be a number")}if(t===void 0||e===t){return String(e)}if(s(t)===false){throw new TypeError("toRegexRange: expected the second argument to be a number.")}let o={relaxZeros:true,...r};if(typeof o.strictZeros==="boolean"){o.relaxZeros=o.strictZeros===false}let n=String(o.relaxZeros);let i=String(o.shorthand);let a=String(o.capture);let u=String(o.wrap);let c=e+":"+t+"="+n+i+a+u;if(toRegexRange.cache.hasOwnProperty(c)){return toRegexRange.cache[c].result}let l=Math.min(e,t);let p=Math.max(e,t);if(Math.abs(l-p)===1){let r=e+"|"+t;if(o.capture){return`(${r})`}if(o.wrap===false){return r}return`(?:${r})`}let d=hasPadding(e)||hasPadding(t);let m={min:e,max:t,a:l,b:p};let g=[];let h=[];if(d){m.isPadded=d;m.maxLen=String(m.max).length}if(l<0){let e=p<0?Math.abs(p):1;h=splitToPatterns(e,Math.abs(l),m,o);l=m.a=0
SyntaxError: Unexpected token '?'
    at new Script (vm.js:84:7)
    at Object.<anonymous> (/home/runner/work/_actions/ridedott/merge-me-action/v2/dist/index.js:6:16)
    at Module._compile (internal/modules/cjs/loader.js:959:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:995:10)
    at Module.load (internal/modules/cjs/loader.js:815:32)
    at Function.Module._load (internal/modules/cjs/loader.js:727:14)
    at Function.Module.runMain (internal/modules/cjs/loader.js:1047:10)
    at internal/main/run_main_module.js:17:11

How much does it hurt?

We can specify the previous working version 2.9.30 to be used, but tag v2 is currently not working for us.

How would you describe the issue?

The action is not working anymore. It doesn't merge depedabot PRs

How can we reproduce the issue?

Example of failure: https://github.com/char0n/json-api-merge/pull/224/checks?check_run_id=2063134861

What are the expected results?

The action merges the PR

What are the actual results?

Action fails on

/home/runner/work/_actions/ridedott/merge-me-action/master/node_modules/@actions/github/lib/internal/utils.js:23
const httpClient = __importStar(require("@actions/http-client"));

How much does it hurt?

A lot ;]

Hi there! I recently installed this action on a couple of my repos and noticed that the action fails to correctly recognise PRs opened by dependabot. I believe there’s a bug in this line:

commitAuthorName should be updated to authorLogin; in my case, commitAuthorName is logged as Daniel Eden (my name), whereas authorName is logged as dependabot (the allowed merge username). See this run log for details.

How would you describe the issue?

How can we reproduce the issue?

What are the expected results?

What are the actual results?

How much does it hurt?

Dependabot couldn't authenticate with npm.pkg.github.com/ridedott.

Dependabot tried to authenticate with the details you previously provided, but authentication failed. If they are no longer valid you will need to provide Dependabot with new credentials.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.