From 8545e5aed7204786b1da605d13e2d47572c96d42 Mon Sep 17 00:00:00 2001
From: Daz DeBoer <daz@gradle.com>
Date: Tue, 27 Sep 2022 07:53:44 -0600
Subject: [PATCH] Document the process to merge Dependabot upgrades

---
 CONTRIBUTING.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 CONTRIBUTING.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..677c94a
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,14 @@
+### How to merge a Dependabot PR
+
+The "distribution" for a GitHub Action is checked into the repository itself. 
+In the case of the `gradle-build-action`, the transpiled sources are committed to the `dist` directory. 
+Any production dependencies are inlined into the distribution. 
+So if a Dependabot PR updates a production dependency (or a dev dependency that changes the distribution, like the Typescript compiler), 
+then a manual step is required to rebuild the dist and commit.
+
+The simplest process to follow is:
+1. Checkout the dependabot branch locally eg: `git checkout dependabot/npm_and_yarn/actions/github-5.1.0`
+2. Run `npm install` to download and the new dependencies and install locally
+3. Run `npm run build` to regenerate the distribution
+4. Push the changes to the dependabot branch
+5. If/when the checks pass, you can merge the dependabot PR