matt glaman

Automating Drupal release notes in Dependabot PRs

Published on

I maintain drupal-mrn.dev, a tool widely used by maintainers to generate release notes for Drupal modules. It simplifies the changelog process, but consuming those notes has remained a manual step for site architects reviewing updates.

Recently, while reviewing Dependabot updates for this blog, I noticed a functional gap. When Dependabot bumps a package hosted on GitHub, it embeds the release notes directly into the Pull Request description. However, packages served from git.drupalcode.org lack this context. You see a version change, but no description of what changed, what was fixed, or what broke.

I decided to leverage the existing drupal-mrn APIs to solve this. I’ve released a new GitHub Action, mglaman/dependabot-drupal-mrn, which injects Drupal-specific release notes into your Dependabot PRs.

Easy dependency updates, problematic reviews

Dependabot is excellent at parsing metadata from GitHub releases. It fails to provide context for Drupal modules because the upstream source isn't a GitHub repository with standard Release entities.

Without this automation, reviewing a module update requires:

  • Noting the version change in the PR title or description.
  • Navigate to the project page on Drupal.org.
  • Locating the specific release notes.
  • Parsing the issues – assuming the maintainer actually listed all the issues for the release.

This friction discourages thorough review.

Automatically getting release notes to make reviews faster

I built dependabot-drupal-mrn to automate retrieving this data.

This action runs on Pull Requests opened by Dependabot. It parses the diff to identify updated Drupal packages, queries the drupal-mrn API for the relevant release note data, and appends the formatted notes to the PR description.

How to use it in your workflow

To implement this, add a new workflow file (.github/workflows/dependabot-drupal.yml) to your repository.

The workflow should trigger on pull_request events and specifically target PRs created by the dependabot[bot] actor.

name: Drupal Release Notes for Dependabot

on:
  pull_request:
    types: [opened, synchronize]

permissions:
  pull-requests: write
  contents: read

jobs:
  add-release-notes:
    runs-on: ubuntu-latest
    # Optimization: Only run for Dependabot PRs
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Add Drupal release notes
        uses: mglaman/dependabot-drupal-mrn@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

How it works

The action operates on the following logic:

  • Verifies it is running in a PR context.
  • It checks the Dependabot metadata to determine which Drupal packages are being updated (drupal/webform from 6.1.0 to 6.2.0).
  • It sends a request to drupal-mrn.dev to fetch the release notes for the target version.
  • It uses the GitHub API to update the PR body, appending the formatted notes.

Get the action on the GitHub Marketplace: mglaman/dependabot-drupal-mrn.

#

Want more? Sign up for my weekly newsletter