DEV Community

Łukasz Kurzyniec
Łukasz Kurzyniec

Posted on

GitHub - Auto-merge Dependabot PRs

Below note is based on Dependabot - Fetch Metadata Action.
Up-to-date code/version could be found in my repo here.

If you are using/consuming Dependabot this GitHub Action is for you. It's a real time saver! It allows to automatically Approve and Merge Dependabot's PRs based on Semantic Versioning update type.


name: Dependabot Approve and Merge

on: pull_request_target

  pull-requests: write
  contents: write
  issues: write

    name: Auto approve and merge
    runs-on: ubuntu-latest

    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
      - name: Fetch update types
        id: update-types
          UPDATE_TYPES: ${{ secrets.UPDATE_TYPES }}
        run: |
          arr=(${UPDATE_TYPES//;/ })
          echo "Types: ${arr[*]}"
          echo "Count: ${count}"
          echo "types=${arr[*]}" >> $GITHUB_OUTPUT
          echo "count=${count}" >> $GITHUB_OUTPUT

      - name: Fetch Dependabot metadata
        if: ${{ fromJson(steps.update-types.outputs.count) > 0 }}
        id: dependabot-metadata
        uses: dependabot/fetch-metadata@v1.3.5

      - name: Approve and merge
        id: auto-merge
        if: ${{ fromJson(steps.update-types.outputs.count) > 0 && contains(steps.update-types.outputs.types, steps.dependabot-metadata.outputs.update-type) }}
        run: |
          gh pr edit "$PR_URL" --add-label "auto-merged"
          gh pr review --approve "$PR_URL"
          gh pr merge --auto --squash "$PR_URL"
          echo "STATUS=true" >> $GITHUB_OUTPUT
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Write summary
        run: |
          result="skip. :x:"
          if [ "${STATUS}" == "true" ]; then
              result=" auto-merge! :white_check_mark:"
          echo "### Done with ${result}" >> $GITHUB_STEP_SUMMARY
          STATUS: ${{ }}
Enter fullscreen mode Exit fullscreen mode


Above workflow will work on Pull Request event trigger and needs write permission for pull-requests, contents and issues to be able to do its job.
Before it proceeds with any steps, it's checking that the PR belongs to Dependabot. If so, the steps in workflow do:

  1. Fetch update types, which are stored/defined under the repository secrets (to avoid code changes when narrow down the merge requirements)
  2. Fetch Dependabot metadata to get all details around PR created by Dependabot (only when any update types are defined)
  3. Approve and merge PR using GitHub CLI, as well as add label (only when PR's update type match defined types)
  4. Write summary to inform about result


Here are some exemplary results.

Success with auto-merge:

Success with auto-merge

Success with skip:

Success with skip

Top comments (0)