dependabot labeled PRs do not add to project

[gkwan-ibm]

I created a action:

name: Add PRs to Dependabot PRs dashboard

on:
  pull_request:
    types:
      - labeled

jobs:
  add-to-project:
    name: Add PR to dashboard
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
        with:
          project-url: https://github.com/orgs/...
          github-token: ${{ secrets.ADMIN_BACKLOG }}
          labeled: dependencies

This action works to add the PR to the project if I manually add the dependencies label.
But, the dependabot created PRs (the Bump PRs) do not automatically add to the project.

[gkwan-ibm]

Seems to be this reason.

Error: Input required and not supplied: github-token

[gkwan-ibm]

The dependabot creates branch and PR in the repo, not from a fork, why the above action does not work?

[surchs]

from the docs: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

So if you want to respond to events that are triggered by bots you have two options:

• use a personal access token so the event is triggered by you (not the bot)
• look for the output of the bot action at a regular interval https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule

[gkwan-ibm]

The token I used is my personal token. Again, manually label PR works fine.

The question is "Why the dependabot labeled PRs (the Bump PRs) does not work?"

[surchs]

The token I used is my personal token

ah, my bad

Why the dependabot labeled PRs (the Bump PRs) does not work?

you cannot have a bot apply a label and then have the https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=labeled#pull_request event trigger another workflow. So likely your issue is that the label is applied by dependabot. Our workaround is as I mentioned to have a cron job do this: https://github.com/neurobagel/planning/blob/3790a983b3c6aacf7eaabef05895b68cd200b99a/.github/workflows/global_move_bot_pr_to_board.yml

[gkwan-ibm]

How's about opened? I tried it and also not work. Same reason?

on:
  pull_request:
    types:
      - opened

[mikebell]

@surchs did you find another solution to this? I had a look round some of the neurobagal repos and I can see your not using it anymore. Did it not work as expected? I'm currently trying find a solution to adding dependabot prs from around 20-30 repos to a project.

[surchs]

Hey @mikebell, we now have a dedicated workflow to label pre-commit PRs and applies a label: https://github.com/neurobagel/workflows/blob/4a81101e34ba511d085ac9184172e6550ad3835b/template_workflows/project_automation/handle_external_pr.yml

here is the specific job that does it:

https://github.com/neurobagel/workflows/blob/4a81101e34ba511d085ac9184172e6550ad3835b/template_workflows/project_automation/handle_external_pr.yml#L22-L30

all it does is filter based on the PR title. Hope that helps