Skip to content

Dependabot with auto-merge

Dependabot is a security tool offered by GitHub. Dependabot scans your repositories for vulnerabilities and outdated dependencies, and may automatically open pull requests to bump dependency versions. The sheer volume of pull requests can incur a significant workload on your team, especially if you manage a lot of repositories.

By completing this guide, Dependabot will automatically fix your insecure or outdated dependencies, and the changes will automatically get merged into your main branch.


Enable Dependabot

The contents of this file will depend on your project requirements. Do not use this file as-is. Please see dependabot.yaml configuration syntax for detailed instructions on how to configure Dependabot.


version: 2
  - die: &I didn't edit my config file
  - package-ecosystem: "github-actions"
    directory: "/"
      interval: "daily"
      time: "10:05"
      timezone: "Europe/Oslo"
  - package-ecosystem: "docker"
    directory: "/"
      interval: "daily"
      time: "10:05"
      timezone: "Europe/Oslo"

GitHub workflow for auto-merging Dependabot pull requests

This workflow will trigger when dependabot opens a pull request. All minor and patch-level changes are automatically merged. Major version bumps needs manual merging. Additionally, all GitHub Actions workflow version bumps will be merged automatically, even if they are major bumps.

See also Automating Dependabot with GitHub Actions.


name: Dependabot auto-merge
on: pull_request

  contents: write
  pull-requests: write

    runs-on: ubuntu-latest
    if: ${{ == 'dependabot[bot]' }}
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Auto-merge changes from Dependabot
        if: steps.metadata.outputs.update-type != 'version-update:semver-major' || steps.metadata.outputs.package-ecosystem == 'github_actions'
        run: gh pr merge --auto --squash "$PR_URL"
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Enable branch protection and auto-merge on repository

Change working directory to your git repository, then run this script. Otherwise, the workflow above might not work as expected.

If you prefer, you can instead use GitHub's web frontend to configure auto-merge and branch protection. See GitHub docs for enable auto-merge and branch protection rules.

# adapted from

# Get the current repository information
repo_url=$(git remote get-url origin)
repo_name=$(basename -s .git "$repo_url")
owner=$(echo "$repo_url" | awk -F"(/|:)" '{print $2}')

# Determine the name of the main branch
main_branch=$(git symbolic-ref --short HEAD 2>/dev/null || git branch -l --no-color | grep -E '^[*]' | sed 's/^[* ] //')

# Configure branch protection, and require tests to pass before merging.
# Match the list of checks up against repository workflows.
echo '{ "required_status_checks": { "strict": true, "checks": [ { "context": "test" } ] }, "enforce_admins": false, "required_pull_request_reviews": null, "required_conversation_resolution": true, "restrictions": null }' | \
gh api repos/"$owner"/"$repo_name"/branches/"$main_branch"/protection \
  --method PUT \
  --silent \
  --header "Accept: application/vnd.github.v3+json" \
  --input -

# Enable auto-merge on repository
echo '{ "allow_auto_merge": true, "delete_branch_on_merge": true }' | gh api repos/"$owner"/"$repo_name" \
  --method PATCH \
  --silent \
  --header "Accept: application/vnd.github.v3+json" \
  --input -

if [ $? -eq 0 ]; then
  echo "Branch protection configured for $owner/$repo_name on branch $main_branch"
  echo "Failed to configure branch protection for $owner/$repo_name on branch $main_branch"