DEV Community

Justin Poehnelt
Justin Poehnelt

Posted on • Originally published at justin.poehnelt.com on

Automatically Approving and Merging Dependabot Pull Requests

I’ve recently been using a combination of GitHub apps to automate the approval and merging of Dependabot pull requests, but wanted to simplify this into a GitHub workflow, using branch protection and GitHub’s auto merge feature.

The GitHub workflow looks something like:

name: Dependabot
on: pull_request

permissions:
  contents: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    env:
      PR_URL: ${{github.event.pull_request.html_url}}
      GITHUB_TOKEN: ${{secrets.MY_PA_TOKEN}}
    steps:
      - name: approve
        run: gh pr review --approve "$PR_URL"
      - name: merge
        run: gh pr merge --auto --squash --delete-branch "$PR_URL"
Enter fullscreen mode Exit fullscreen mode

Warning : I wouldn’t implement this without branch protection and required status checks.

And it works! 🎉

The pull request now looks like the following:

Automating DependaBot pull request approval and merging

Automating DependaBot pull request approval and merging

Once I had this implemented and pushed to all the repositories, I just need to tell Dependabot to rebase all pull requests.

It would be fairly easy to add a check for labels on the pull request, and only gh approve if the label was present, but I really didn’t have a use case for this right now because I feel confident in the required status checks.

Top comments (2)

Collapse
 
melroy89 profile image
Melroy van den Berg • Edited

Work great indeed!

However, try to add the following step:

      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
Enter fullscreen mode Exit fullscreen mode

And then add an "if" check during the auto-merge step for additional checks. For EXAMPLE... check some additional things like:

      - name: merge
        if: ${{contains(steps.metadata.outputs.dependency-names, 'rails') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --squash "$PR_URL"
Enter fullscreen mode Exit fullscreen mode
Collapse
 
melroy89 profile image
Melroy van den Berg • Edited

Just to give you another example. You might want to check on semver-minor as well. Or check on package-ecosystem or target-branch. This is an update of tox python package via Pip. See the metadata that dependabot/fetch-metadata@v1 gives me:

outputs.dependency-names: tox
outputs.dependency-type: direct:production
outputs.update-type: version-update:semver-minor
outputs.directory: /
outputs.package-ecosystem: pip
outputs.target-branch: main
outputs.previous-version: 4.13.0
outputs.new-version: 4.14.1
outputs.compatibility-score: 0
outputs.maintainer-changes: false
outputs.dependency-group:
outputs.alert-state:
outputs.ghsa-id:
outputs.cvss: 0