Dependabot Auto Merge
Actions
Automatically merge Dependabot PRs when version comparison is within range
name: auto-merge
on:
pull_request:
jobs:
auto-merge:
runs-on: ubuntu-latest
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
github-token: ${{ secrets.mytoken }}Minimal setup:
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
github-token: ${{ secrets.mytoken }}Only merge if the changed dependency version is a patch (default behavior):
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
target: patch
github-token: ${{ secrets.mytoken }}Only merge if the changed dependency version is a minor:
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
target: minor
github-token: ${{ secrets.mytoken }}Using a configuration file:
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
github-token: ${{ secrets.mytoken }}- match:
dependency_type: all
update_type: "semver:minor" # includes patch updates!| input | required | default | description |
|---|---|---|---|
github-token |
✔ | github.token |
The GitHub token used to merge the pull-request |
target |
❌ | patch |
The version comparison target (major, minor, patch) |
command |
❌ | merge |
The command to pass to Dependabot |
approve |
❌ | true |
Auto-approve pull-requests |
The GitHub token is a Personal Access Token with the following scopes: repo for private repositories, and public_repo for public repositories, and should be created from a user with "push" permission to the repository (see reference for user owned repos and for org owned repos)
Using the configuration file .github/auto-merge.yml, you have the option to provide a more fine-grained configuration. The following example configuration file merges
- minor development dependency updates
- patch production dependency updates
- minor security-critical production dependency updates
- match:
dependency_type: development
# Supported dependency types:
# - development
# - production
# - all
update_type: "semver:minor" # includes patch updates!
# Supported updates to automerge:
# - "security:patch"
# SemVer patch update that fixes a known security vulnerability
# - "semver:patch"
# SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3
# - "semver:minor"
# SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1
# - "in_range" (NOT SUPPORTED YET)
# matching the version requirement in your package manifest
# - "security:all"
# - "all"
# To allow prereleases, the corresponding prepatch, preminor and premajor types are also supported
- match:
dependency_type: production
update_type: "security:minor" # includes patch updates!
- match:
dependency_type: production
update_type: "semver:patch"The syntax is based on the legacy dependaBot v1 config format, but does not support dependency_name and in_range yet.
Dependabot Auto Merge is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.
About
Dependabot Auto Merge is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.