Skip to content
git-pull-request

GitHub Action

Github Action Merge Dependabot

v3.11.0 Latest version

Github Action Merge Dependabot

git-pull-request

Github Action Merge Dependabot

Automatically approve and merge dependabot PRs

Installation

Copy and paste the following snippet into your .yml file.

              

- name: Github Action Merge Dependabot

uses: fastify/github-action-merge-dependabot@v3.11.0

Learn more about this action in fastify/github-action-merge-dependabot

Choose a version

Github Action Merge Dependabot

This action automatically approves and merges dependabot PRs.

Usage

Configure this action in your workflows providing the inputs described below. Note that this action requires a GitHub token with additional permissions. You must use the permissions tag to specify the required rules or configure your GitHub account.

The permissions required are:

If some of the required permissions are missing, the action will fail with the error message:

Error: Resource not accessible by integration

Inputs

input required default description
github-token No ${{github.token}} A GitHub token.
exclude No A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not.
approve-only No false If true, the PR is only approved but not merged.
merge-method No squash The merge method you would like to use (squash, merge, rebase).
merge-comment No '' An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged.
use-github-auto-merge No false If true, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied.

NOTE: This feature only works when all of the following conditions are met.
- The repository enables auto-merge.
- The pull request base must have a branch protection rule.
- The pull request's status checks are not yet satisfied.

Refer to the official document about GitHub auto-merge.
target No any A flag to only auto-merge updates based on Semantic Versioning.
Possible options are: major, premajor, minor, preminor, patch, prepatch, prerelease, any.

The value of this flag allows for updates for all the matching versions and lower with the respect for priority. This means, for example, if the target is set to major and the update is made to minor version the auto-merge will be triggered.

For more details on how semantic version difference is calculated please see semver package.

If you set a value other than any, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules.
target-development No Same as target but specifies semver for development dependencies only. If present, then it overrides the value in target for development dependencies.
target-production No Same as target but specifies semver for production dependencies only. If present, then it overrides the value in target for production dependencies.
target-indirect No Same as target but specifies semver for indirect dependency updates only. If present, then it overrides the value in target for indirect dependency updates.
pr-number No A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See Trigger action from workflow_dispatch event example.
skip-commit-verification No false If true, then the action will not expect the commits to have a verification signature. It is required to set this to true in GitHub Enterprise Server.
skip-verification No false If true, the action will not validate the user or the commit verification status

Output

outputs Description
merge_status The result status of the merge. It can be one of the following: approved, merged, auto_merge, merge_failed, skipped:commit_verification_failed, skipped:not_a_dependabot_pr, skipped:cannot_update_major, skipped:bump_higher_than_target, skipped:packaged_excluded

Examples

Basic example

name: CI
on:
  push:
    branches:
      - main
  pull_request:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # ...

  automerge:
    needs: build
    runs-on: ubuntu-latest

    permissions:
      pull-requests: write
      contents: write

    steps:
      - uses: fastify/github-action-merge-dependabot@v3

Excluding packages

permissions:
  pull-requests: write
  contents: write

steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      exclude: 'react,fastify'

Approving without merging

permissions:
  pull-requests: write
steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      approve-only: true

Specifying target versions

Specifying target for all packages

steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      target: 'minor'

Specifying target for development and production packages separately

steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      target-development: 'major'
      target-production: 'minor'

Trigger action from workflow_dispatch event

If you need to trigger this action manually, you can use the workflow_dispatch event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.

When using the workflow_dispatch approach, you will need to send the PR number as part of the input for this action:

name: automerge

on:
  workflow_dispatch:
    inputs:
      pr-number:
        required: true

jobs:
  automerge:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: write
    steps:
      - uses: fastify/github-action-merge-dependabot@v3
        with:
          pr-number: ${{ github.event.inputs.pr-number }}

You can initiate a call to trigger this event via API:

# Note: replace dynamic values with your relevant data
curl -X POST \
  -H "Accept: application/vnd.github.v3+json" \
  -H "Authorization: token {token}" \
  https://api.github.com/repos/{owner}/{reponame}/actions/workflows/{workflow}/dispatches \
  -d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'

How to upgrade from 2.x to new 3.x

Migration example:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # ...

  automerge:
    needs: build
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
    steps:
-     - uses: fastify/github-action-merge-dependabot@v2.1.1
+     - uses: fastify/github-action-merge-dependabot@v3

Notes

  • A GitHub token is automatically provided by Github Actions, which can be accessed using github.token. If you want to provide a token that's not the default one you can used the github-token input.
  • Make sure to use needs: <jobs> to delay the auto-merging until CI checks (test/build) are passed.
  • If you want to use GitHub's auto-merge feature but still use this action to approve Pull Requests without merging, use approve-only: true.

Acknowledgements

This project is kindly sponsored by NearForm