Skip to content
Search

DEV Community

Łukasz Kurzyniec
Łukasz Kurzyniec

Posted on

GitHub - Auto-merge Dependabot PRs

#github #dependabot #automerge #pullrequest

Below note is based on Dependabot - Fetch Metadata Action.
Up-to-date code/version could be found in my repo here.

If you are using/consuming Dependabot this GitHub Action is for you. It's a real time saver! It allows to automatically Approve and Merge Dependabot's PRs based on Semantic Versioning update type.

auto-merge.yml 

name: Dependabot Approve and Merge

on: pull_request_target

permissions:
  pull-requests: write
  contents: write
  issues: write

jobs:
  dependabot:
    name: Auto approve and merge
    runs-on: ubuntu-latest

    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
    steps:
      - name: Fetch update types
        id: update-types
        env:
          UPDATE_TYPES: ${{ secrets.UPDATE_TYPES }}
        run: |
          arr=(${UPDATE_TYPES//;/ })
          count=${#arr[@]}
          echo "Types: ${arr[*]}"
          echo "Count: ${count}"
          echo "types=${arr[*]}" >> $GITHUB_OUTPUT
          echo "count=${count}" >> $GITHUB_OUTPUT

      - name: Fetch Dependabot metadata
        if: ${{ fromJson(steps.update-types.outputs.count) > 0 }}
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1.3.5

      - name: Approve and merge
        id: auto-merge
        if: ${{ fromJson(steps.update-types.outputs.count) > 0 && contains(steps.update-types.outputs.types, steps.dependabot-metadata.outputs.update-type) }}
        run: |
          gh pr edit "$PR_URL" --add-label "auto-merged"
          gh pr review --approve "$PR_URL"
          gh pr merge --auto --squash "$PR_URL"
          echo "STATUS=true" >> $GITHUB_OUTPUT
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Write summary
        run: |
          result="skip. :x:"
          if [ "${STATUS}" == "true" ]; then
              result=" auto-merge! :white_check_mark:"
          fi
          echo "### Done with ${result}" >> $GITHUB_STEP_SUMMARY
        env:
          STATUS: ${{ steps.auto-merge.outputs.STATUS }}
Enter fullscreen mode Exit fullscreen mode

Explanation

Above workflow will work on Pull Request event trigger and needs write permission for pull-requests, contents and issues to be able to do its job.
Before it proceeds with any steps, it's checking that the PR belongs to Dependabot. If so, the steps in workflow do:

  1. Fetch update types, which are stored/defined under the repository secrets (to avoid code changes when narrow down the merge requirements)
  2. Fetch Dependabot metadata to get all details around PR created by Dependabot (only when any update types are defined)
  3. Approve and merge PR using GitHub CLI, as well as add label (only when PR's update type match defined types)
  4. Write summary to inform about result

Results

Here are some exemplary results.

Success with auto-merge:

Success with auto-merge

Success with skip:

Success with skip

Top comments (0)

Read next

sachinmdev profile image

Revolutionize Your Development Skills: Top GitHub Repositories You Can't Afford to Miss

sachinM -

hugovk profile image

TIL: how to disable cron for GitHub forks

Hugo van Kemenade -

zirkelc profile image

AdaGPT: My Learnings While Building a GitHub Action

Chris -

aurelievache profile image

developers.events: Maintaining a GitHub repository - What have I learned in 7 years?

Aurélie Vache -