Configure Netlify to ignore builds for Dependabot PRs

Hey there Netlify community!

I’m trying to configure my Netlify builds to ignore PRs opened by Dependabot.

I found this blog post describing how to do it, but it didn’t seem to work.

My app is open source so you can see a recent build. If you +F for “ignore” you’ll see

5:08:28 PM: Detected ignore command in Netlify configuration file. Proceeding with the specified command: ‘git log -1 --pretty=%B | grep dependabot’

…and yet, the build proceeded.

I’d love any help diagnosing this + figuring out how to configure these builds to stop! They’re really eating up our monthly resources.

Thanks!

Hi, @samselikoff, I think it is because there is no local branch for the PR and to the command is exiting with a 1 (which continues the build) instead of the expected exit code of 0 (which grep will use if there are any matching lines).

Here is what I see in testing:

$ git clone <repo url here>
Cloning into 'site'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 4649 (delta 3), reused 2 (delta 2), pack-reused 4643
Receiving objects: 100% (4649/4649), 46.77 MiB | 10.58 MiB/s, done.
Resolving deltas: 100% (3077/3077), done.
$ cd site
$ git fetch origin pull/764/head
From https://github.com/miragejs/site
 * branch            refs/pull/764/head -> FETCH_HEAD
$ git log -1 --pretty=%B | grep dependabot ; echo $?
1

The exit code above is 1 which, again, will continue no cancel a build because there were no matching lines.

The following might work though:

$ git checkout -b pullrequest FETCH_HEAD ; git log -1 --pretty=%B | grep dependabot ; echo $?
fatal: A branch named 'pullrequest' already exists.
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
0

So, (removing the exit code test echo command), this would be:

 git checkout -b pullrequest FETCH_HEAD ; git log -1 --pretty=%B | grep dependabot 

Would you please test making that line above the build.ignore command?

If that doesn’t work or if there are any questions, please let us know.

Ah, I see. (Just curious, how were you able to see that git fetch origin pull/764/head is what Netlify does during its build, rather than checking out a branch?)

Will give this a shot! Thanks for the fast response

Hey @luke, here’s a PR build from last night:

It looks like Netlify still built the Dependabot PR.

Any other ideas?

Hey @samselikoff,

Hmm, maybe we’ll try something else! How about this suggestion from our very own Marcus?

You could also customise Dependabot’s commit message to include [skip ci] or [skip netlify], too!

Thanks for the link! I think Marcus’ suggestion of

git log -1 --pretty=%B | grep dependabot

was the same I tried originally from the blog post. And here you can see an example where the command was picked up but it didn’t work.

I didn’t know you could customize Dependabot’s commit messages. I did some digging on how to do that but couldn’t find anything, either in GitHub’s app integration settings or on dependabot.com. Could you point me to some instructions on how to do that?

Hey @samselikoff,

That’s gonna be this handy doc right here if you’re using the none-native Dependabot or this for the native version!

Oh awesome! Missed this one.

Gonna give it a shot!

Looks like it worked!!

Thanks @Scott, I think this should be the accepted answer.

I also think the original blog post I linked to should probably be updated, because (1) it’s an official Netlify guide & tutorial, (2) I don’t believe it works as stated (as others said in the other thread), and (3) it’s one of the first search results that comes up when you search for “Netlify and Dependabot”.

Thank you so much for your help!

Question: Once I merge a PR into master, I do want Netlify to build + deploy my site.

Can you think of how to do this, where the [skip netlify] prefix is in the commit message but Netlify always builds/deploys on the master branch?

We can’t circumvent the [skip ci/netlify] ignore, unfortunately! Is it not possible to update the commit message when merging?

If not, we’d be back to using a script and deploy contexts.

Hm that would be possible but most Dependabot PRs are auto merged. So I think that means I should explore the script approach.

I’ve never seen the script approach, do you have a guide or example you could point me to there?

Hey @samselikoff, it’s similar to Marcus’ suggestion above which you’ve tried, only in a script! This is what I envision and you can even try the ‘exit 0’ script first to ensure that a Dependabot-specific script is going to work .

Another suggestion is write a build plugin that cancels the build based on your criteria.

Here’s some untested pseudo-code:

module.exports = {
  onPreBuild: ({ utils }) => {
    if (utils.git.commits[0].committer.name.includes('dependabot')) {
      utils.build.cancelBuild('Cancelling dependabot PR.')
    }
  },
}