Feature request: Run updates locally

[infinisil]

I'd like to have an easy command to run updates locally, such that the local files are updated as if all resulting dependabot PRs were merged.

This might look like

dependabot local-update github_actions .

resulting in

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 233d7dd..36d9200 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,7 +8,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: cachix/install-nix-action@v26

It's currently possible to do that, but it requires some extra machinery that I'd rather avoid, see this script.

[jakecoffman]

Yes it would be useful to apply updates directly the the filesystem, we've been kicking that idea around for a while but haven't put it together yet.

In the meantime you could simplify your script using a group, that way Dependabot only produces one PR. No need for a loop.

cat <<EOF > input.yml
job:
  package-manager: "github_actions"
  source:
    directory: "/"
    provider: github
    repo: not/used
  dependency-groups:
    - name: actions
      rules:
        patterns:
          - "*"
EOF

dependabot update -f input.yml --local $REPO

[infinisil]

Oh nice, thanks! Note that it doesn't seem to work without an allowed-updates entry (the error message could be better):

updater | 2024/04/10 21:43:59 ERROR Error during file fetching; aborting: T.let: Expected type T::Array[T.untyped], got type NilClass
updater | Caller: /home/dependabot/dependabot-updater/lib/dependabot/job.rb:134

But it works if I add it:

job:
  package-manager: "github_actions"
  allowed-updates:
    - update-type: all
  source:
    directory: "/"
    provider: github
    repo: not/used
  dependency_groups:
    - name: actions
      rules:
        patterns:
          - "*"