Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
git-merge

GitHub Action

Dependabot Auto Merge

v2.0.0

Dependabot Auto Merge

git-merge

Dependabot Auto Merge

Automatically merge Dependabot PRs when version comparison is within range

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Dependabot Auto Merge

              
  uses: ahmadnassri/[email protected]
Learn more about this action in ahmadnassri/action-dependabot-auto-merge

Choose a version

GitHub Action: Dependabot Auto Merge

license version super linter test release

Automatically merge Dependabot PRs when version comparison is within range

Usage

name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: ahmadnassri/action-dependabot-auto-merge@v1

Examples

Use a specific user's Personal Access Token:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v1
    with:
      target: patch
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a patch (default behavior):

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v1
    with:
      target: patch

Only merge if the changed dependency version is a minor:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v1
    with:
      target: minor

Only merge if the changed dependency version is a major:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v1
    with:
      target: major

Inputs

input required default description
target patch The version comparison target (major, minor, patch)
github-token github.token The GitHub token used to merge the pull-request
command merge The command to pass to Dependabot
approve true Auto-approve pull-requests

Configuration file syntax

Using the configuration file .github/auto-merge.yml, you have the option to provide a more fine-grained configuration. The following example configuration file merges

  • minor development dependency updates
  • patch production dependency updates
  • minor security-critical production dependency updates
- match:
    dependency_type: development
    # Supported dependency types:
    # - development
    # - production
    # - all
    update_type: "semver:minor" # includes patch updates!
    # Supported updates to automerge:
    # - "security:patch"
    #   SemVer patch update that fixes a known security vulnerability
    # - "semver:patch"
    #   SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3
    # - "semver:minor"
    #   SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1
    # - "in_range" (NOT SUPPORTED YET)
    #   matching the version requirement in your package manifest
    # - "security:all"
    # - "all"
    # To allow prereleases, the corresponding prepatch, preminor and premajor types are also supported
- match:
    dependency_type: production
    update_type: "security:minor" # includes patch updates!
- match:
    dependency_type: production
    update_type: "semver:patch"

The syntax is based on the legacy dependaBot v1 config format, but does not support dependency_name and in_range yet.