Does anyone know a way to avoid conflicts when using Dependabot?
I’ve set up auto-merge (with Dependabot Preview, the old one), but when the bot runs once per week and finds each time multiple updates within just few minutes, PRs often have conflicting composer.lock
versions and auto-merging won’t be possible for the bot.
Introducing a delay of 10-15 minutes between PRs has been one idea of mine; a PR would get auto-merged before the next one is raised, thus avoiding conflicting files, but I haven’t found any way of doing that.
The conflicts are always with content-hash
of composer.lock
. It’s been discussed in this stackoverflow post, and I guess there’s no realistic way of avoiding the conflict, other than having enough time between PRs so that auto-merge gets it’s job done. I rather keep composer.lock
in version control.
Live / continuous checks would raise PRs as new plugin versions become available, thus reducing the likelyhood of conflicts, but it causes constant noise - I rather book a weekly slot in calendar to run updates, tests, deploys, etc.
There are probably other bots that take care of auto-merging, but I ventured there yet.
The problem is annoying, as @dependabot rebase
takes a long of time (sometimes a loooooong time) and has to be run way too often.