Year 2018 was an eye-opening year for me as an OSS project maintainer. The reason is due to the emerge of GitHub bots.

Maintaining a project on GitHub could be a challenging task, especially when the project becomes popular. Issue management, releases, follow-ups, dependency management, oh my!
But, as most of the developers, we’re lazy enough and spend time automating things.

Dependabot

https://github.com/apps/dependabot

There are many nice bots, but Dependabot is a real “Good Boy Bot”!

Have you ever discovered that one of your dependencies is so outdated, that you can’t just change it to the latest version, but instead you need to painfully update the version of it release-by-release?
Perhaps you never update your dependencies? =P

Anyways, Dependabot is one of the easiest wins from the bots, but the win is huge!
From Dependabot’s website:

Dependabot creates pull requests to keep your dependencies secure and up-to-date.

Yup, that’s it. But behind this simple statement is a great effort done by developers of this wonderful project!

It will automatiically discover your project’s type and the locations of dependency definitions. You’re using NodeJS with NPM or YARN? Easy!
Maybe Golang with go.mod / dep?
Feeling Rust-y? =P
Ever updated Dockerfile’s base image?
Or you like to challenge the bots and your project’s dependencies are managed with imperative Gradle scripts?

All these and many more platforms are supported by Dependabot:
https://dependabot.com/#languages

This is how a PR may look like:

It will also work if the version is defined as a property, or managed with Spring’s Dependency Management Plugin.

You receive PRs automatically, every day or week (how you configure it).
You may instruct it to automatically merge the PR if it passed all checks (e.g. CI status).

Recently they added a “configuration as code” option with YAML file:

# .dependabot/config.yml

# See https://github.com/dependabot/feedback/issues/70 for current (beta) configurability
version: 1
update_configs:
  - package_manager: "java:gradle"
    directory: "/core"
    update_schedule: "daily"

  - package_manager: "java:maven"
    directory: "/examples"
    update_schedule: "daily"
    automerged_updates:
      - match: { dependency_type: "development", update_type: "all" }
      - match: { dependency_type: "production", update_type: "all" }

After we added Dependabot to the Testcontainers project we received more than 100 PRs from Dependabot and now I can’t imagine updating those dependencies by hands.

Release Drafter

https://github.com/apps/release-drafter

Having proper release changelogs is very important for any OSS project. Otherwise, what motivates people to update their dependency? (well, unless they use Dependabot 😜)

Release Drafter is an Open Source, Probot-based bot for drafting your next release notes as pull requests are merged into master.

Here is an example of a release draft generated by the Release Drafter bot:

Thanks to Richard North’s contribution you can even template the version!
Here is an example config from Testcontainers (the exact config it used to generate the notes from a previous screenshot):

# .github/release-drafter.yml
name-template: $NEXT_PATCH_VERSION
tag-template: $NEXT_PATCH_VERSION
template: |
    # What's Changed
    $CHANGES
categories:
  - title: 🚀 Features
    label: type/feature
  - title: 🐛 Bug Fixes
    label: type/bug
  - title: 📖 Documentation
    label: type/docs
  - title: 📦 Dependency updates
    label: dependencies

As you can see, you can use your own labels & titles to categorize the changes. How cool is that?

Delete Merged Branch

https://github.com/apps/delete-merged-branch

This bot is an ultra simple one, yet very helpful to keep your repository clean.

Although GitHub displays “Delete merged branch” button after you merge a PR originated from the same repo, people tend to forget to do it.
The result: a lot of stale branches. And it ain’t helping reading your repository!

From the bot’s description:

A GitHub app that automatically deletes a branch after it’s merged. That’s it, enjoy!

Stale

https://github.com/apps/stale/

It is joyful to see people submitting their usage, issues or PRs to your project… unless it is not 😅

Some issues are invalid, require more input or not valid anymore.
Some PRs never get finished by the authors, and it is okay.

But it is not okay to keep them forever, because it will create a false feeling that the project has a lot of issues, or that the maintainers are never merge the PRs.

Stale is another Probot-based bot. It solves the issue very elegantly by “pinging” the authors after a configurable period of time, and closes unanswered issues automatically:

There are enough options to make it user-friendly and personalize it:

# .github/stale.yml

# Number of days of inactivity before an issue becomes stale
daysUntilStale: 60
# Number of days of inactivity before a stale issue is closed
daysUntilClose: 7
# Issues with these labels will never be considered stale
exemptLabels:
  - pinned
  - security
# Label to use when marking an issue as stale
staleLabel: wontfix
# Comment to post when marking an issue as stale. Set to `false` to disable
markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
# Comment to post when closing a stale issue. Set to `false` to disable
closeComment: false

Conclusion

Thanks to GitHub’s apps platform, adding bots to your project is super easy and can be done with a few clicks in UI.

But the amount of time the Testcontainers team saved is incredible, and I am not sure that without them we would be able to maintain this popular (2k stars, probably nothing for NodeJS repos, but indeed something for Java) project with the same speed as we did with.

Not to mention that all these bots are free for the OSS projects!

P.S.

Take a look at Probot’s apps catalog, there are many more:
http://probot.github.io/apps/