Skip to content

Warning

You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?

Dependabot Auto Merge

Actions
Automatically merge Dependabot PRs when version comparison is within range
v2.1.2
Star (343)

GitHub Action: Dependabot Auto Merge

license version super linter test release

Automatically merge Dependabot PRs when version comparison is within range.

Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.

Usage

name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          github-token: ${{ secrets.mytoken }}

The action will only merge PRs whose checks (CI/CD) pass.

Examples

Minimal setup:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a patch (default behavior):

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      target: patch
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a minor:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      target: minor
      github-token: ${{ secrets.mytoken }}

Using a configuration file:

.github/workflows/auto-merge.yml
steps:
  - uses: actions/checkout@v2
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      github-token: ${{ secrets.mytoken }}
.github/auto-merge.yml
- match:
    dependency_type: all
    update_type: "semver:minor" # includes patch updates!

Inputs

input required default description
github-token github.token The GitHub token used to merge the pull-request
target patch The version comparison target (major, minor, patch)
command merge The command to pass to Dependabot
approve true Auto-approve pull-requests

Token Scope

The GitHub token is a Personal Access Token with the following scopes:

  • repo for private repositories
  • public_repo for public repositories

The token MUST be created from a user with push permission to the repository.

see reference for user owned repos and for org owned repos

Configuration file syntax

Using the configuration file .github/auto-merge.yml, you have the option to provide a more fine-grained configuration. The following example configuration file merges

  • minor updates for aws-sdk
  • minor development dependency updates
  • patch production dependency updates
  • minor security-critical production dependency updates
- match:
    dependency_name: aws-sdk
    update_type: semver:minor

- match:
    dependency_type: development
    update_type: semver:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: security:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: semver:patch

Match Properties

property required supported values
dependency_name full name of dependency, or a regex string
dependency_type all, production, development
update_type all, security:*, semver:*

update_type can specify security match or semver match with the syntax: ${type}:${match}, e.g.

  • security:patch
    SemVer patch update that fixes a known security vulnerability

  • semver:patch
    SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3

  • semver:minor
    SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1

To allow prereleases, the corresponding prepatch, preminor and premajor types are also supported

Defaults

By default, if no configuration file is present in the repo, the action will assume the following:

- match:
    dependency_type: all
    update_type: semver:${TARGET}

Where $TARGET is the target value from the action Inputs

The syntax is based on the legacy dependaBot v1 config format. However, in_range is not supported yet.

Dependabot Auto Merge is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

About

Automatically merge Dependabot PRs when version comparison is within range
v2.1.2

Dependabot Auto Merge is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.