Auto-merge Dependabot PRs for minor & patch updates

README.md

README

Note

I'm now using a newer version of this workflow that supports an allow list for individual packages and update groups which can be found here:

• workflows/dependabot-auto-merge.yml
• workflow-templates/dependabot-auto-merge.yml.

If you're using a workflow like this and need to manage secrets in multiple repos xt0rted/secrets-sync can simplify that. This lets you add secrets to one repo and sync them to many repos. There's also a template you can fork to get started quickly with it.

Personal Access Token

This workflow requires the Allow auto-merge setting to be enabled and ideally a branch protection rule to ensure your other workflows pass before merging.

If the default GITHUB_TOKEN is used any workflows that would be triggered by the merge won't run, to work around that a PAT needs to be used.

The DEPENDABOT_TOKEN needs repo & read:org scopes and should be added as both an Actions and Dependabot scret for the org or repo where this will be ran.

GitHub App

An alternative method is to use a GitHub App. To do this you'll need to go to https://github.com/settings/apps/new or https://github.com/organizations/<org>/settings/apps/new and create an app with the following settings:

1. Uncheck Expire user authorization tokens
2. Uncheck Webhook Active
3. Set the following Repository permissions
   • Contents: Read & Write
   • Metadata: Read-only
   • Pull requests: Read-only

Once created you'll need to generate a private key.

You'll then need to install the app to your account or org and add Action & Dependabot secrets for both the BOT_APP_ID and BOT_PRIVATE_KEY values which correspond to the App ID at the top of the page, and the private key you just created.

The final step is to make sure you've enabled auto-merge PRs on the repo.

dependabot-auto-merge-with-github-app.yml

# https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
name: Dependabot auto-merge

on: pull_request_target

permissions:
  contents: read
  pull-requests: read

jobs:
  dependabot:
    runs-on: ubuntu-latest

    if: github.event.pull_request.user.login == 'dependabot[bot]'

    steps:
      - name: Generate token
        id: generate_token
        uses: tibdex/[email protected]
        with:
          app_id: ${{ secrets.BOT_APP_ID }}
          private_key: ${{ secrets.BOT_PRIVATE_KEY }}

      - name: Dependabot metadata
        id: dependabot_metadata
        uses: dependabot/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Authenticate cli
        run: echo "${{ steps.generate_token.outputs.token }}" | gh auth login --with-token

      - name: Enable auto-merge for Dependabot PRs
        if: steps.dependabot_metadata.outputs.dependency-type == 'direct:development' && (steps.dependabot_metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot_metadata.outputs.update-type == 'version-update:semver-patch')
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}

dependabot-auto-merge-with-pat.yml

# https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
name: Dependabot auto-merge

on: pull_request_target

permissions:
  contents: read
  pull-requests: read

jobs:
  dependabot:
    runs-on: ubuntu-latest

    if: github.event.pull_request.user.login == 'dependabot[bot]'

    steps:
      - name: Dependabot metadata
        id: dependabot_metadata
        uses: dependabot/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Authenticate cli with a PAT
        run: echo "${{ secrets.DEPENDABOT_TOKEN }}" | gh auth login --with-token

      - name: Enable auto-merge for Dependabot PRs
        if: steps.dependabot_metadata.outputs.dependency-type == 'direct:development' && (steps.dependabot_metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot_metadata.outputs.update-type == 'version-update:semver-patch')
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}

Awesome! Thanks

Thanks a lot!

Love. It! 👍

nice work buddy 👏

Why do we need to create the secret as both Action & Dependabot? Isn't it sufficient to create it as a Dependabot secret?

@nlykkei When a workflow is triggered by dependabot only the dependabot secrets are passed to it, but if the workflow is triggered by anything else (person, pat, or github app) then the actions secrets are passed in. Pushing to a dependabot branch or manually re-running a workflow requires the secrets to be in both lists, otherwise the dependabot list should be fine.