Consolidating Dependabot PRs by cherry-picking commits
2023-07-10

Overwhelmed by Dependabot PRs every week? Instead of approving, deploying, and merging them one by one, you can consolidate them into one PR. Here’s how to do it.

Note: Grouped version updates for Dependabot public beta is coming soon, but I think this is still useful on certain occasions.

First, checkout to a new branch:

git co -b "lowply/dependabot-rollup-$(date +%Y-%m-%d)"

Pull commits. Thanks to the GitHub GraphQL API, it’s just one API request!

OWNER="owner"
REPO="repo"
LABEL="dependencies"
STATUS="OPEN"
COMMITS=$(gh api graphql -F owner="${OWNER}" -F name="${REPO}" -F labels="${LABEL}" -F states="${STATUS}" -f query='
    query($name: String!, $owner: String!, $labels: [String!], $states: [PullRequestState!]) {
      repository(owner: $owner, name: $name) {
        pullRequests(first: 100, labels: $labels, states: $states) {
          nodes {
            title,
            commits (first: 100) {
              nodes {
                commit {
                  oid
                }
              }
            }
          }
        }
      }
    }
' | jq -r .data.repository.pullRequests.nodes[].commits.nodes[].commit.oid)

Then cherry-pick these commits:

git cherry-pick ${COMMITS}

If there’s a conflict, fix it. But if there’s a conflict on package lockfiles such as package-lock.json or yarn.lock, don’t try to fix it. Instead, run npm i or yarn to refresh lockfiles. Conflicts will automatically be fixed.

Finally, create a PR.

gh pr create --title "Dependabot rollup $(date +%Y-%m-%d)" --body "Consolidating [open dependabot PRs](https://github.com/${OWNER}/${REPO}/pulls/app%2Fdependabot)."

I do this in my team very often and it works well in most cases. Resolving conflicts is usually very straightforward.