Github Action Merge Dependabot

This action automatically approves and merges dependabot PRs.

Usage

Configure this action in your workflows providing the inputs described below. Note that this action requires a GitHub token with additional permissions. You must use the permissions tag to specify the required rules or configure your GitHub account.

The permissions required are:

pull-requests: it is needed to approve PRs.
contents: it is necessary to merge the pull request. You don't need it if you set approve-only: true, see Approving without merging example below.

If some of the required permissions are missing, the action will fail with the error message:

Error: Resource not accessible by integration

Inputs

input	required	default	description
`github-token`	No	`${{github.token}}`	A GitHub token.
`exclude`	No		A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not.
`approve-only`	No	`false`	If `true`, the PR is only approved but not merged.
`merge-method`	No	`squash`	The merge method you would like to use (squash, merge, rebase).
`merge-comment`	No	`''`	An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged.
`use-github-auto-merge`	No	`false`	If `true`, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied. NOTE: This feature only works when all of the following conditions are met. - The repository enables auto-merge. - The pull request base must have a branch protection rule. - The pull request's status checks are not yet satisfied. Refer to the official document about GitHub auto-merge.
`target`	No	`any`	A flag to only auto-merge updates based on Semantic Versioning. Possible options are: `major, premajor, minor, preminor, patch, prepatch, prerelease, any`. The value of this flag allows for updates for all the matching versions and lower with the respect for priority. This means, for example, if the `target` is set to `major` and the update is made to `minor` version the auto-merge will be triggered. For more details on how semantic version difference is calculated please see semver package. If you set a value other than `any`, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules.
`target-development`	No		Same as `target` but specifies semver for `development` dependencies only. If present, then it overrides the value in `target` for `development` dependencies.
`target-production`	No		Same as `target` but specifies semver for `production` dependencies only. If present, then it overrides the value in `target` for `production` dependencies.
`target-indirect`	No		Same as `target` but specifies semver for indirect dependency updates only. If present, then it overrides the value in `target` for indirect dependency updates.
`pr-number`	No		A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See Trigger action from workflow_dispatch event example.
`skip-commit-verification`	No	`false`	If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server.
`skip-verification`	No	`false`	If true, the action will not validate the user or the commit verification status

Output

outputs	Description
merge_status	The result status of the merge. It can be one of the following: `approved`, `merged`, `auto_merge`, `merge_failed`, `skipped:commit_verification_failed`, `skipped:not_a_dependabot_pr`, `skipped:cannot_update_major`, `skipped:bump_higher_than_target`, `skipped:packaged_excluded`

Examples

Basic example

name: CI
on:
  push:
    branches:
      - main
  pull_request:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # ...

  automerge:
    needs: build
    runs-on: ubuntu-latest

    permissions:
      pull-requests: write
      contents: write

    steps:
      - uses: fastify/github-action-merge-dependabot@v3

Excluding packages

permissions:
  pull-requests: write
  contents: write

steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      exclude: 'react,fastify'

Approving without merging

permissions:
  pull-requests: write
steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      approve-only: true

Specifying target versions

Specifying target for all packages

steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      target: 'minor'

Specifying target for development and production packages separately

steps:
  - uses: fastify/github-action-merge-dependabot@v3
    with:
      target-development: 'major'
      target-production: 'minor'

Trigger action from workflow_dispatch event

If you need to trigger this action manually, you can use the workflow_dispatch event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.

When using the workflow_dispatch approach, you will need to send the PR number as part of the input for this action:

name: automerge

on:
  workflow_dispatch:
    inputs:
      pr-number:
        required: true

jobs:
  automerge:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: write
    steps:
      - uses: fastify/github-action-merge-dependabot@v3
        with:
          pr-number: ${{ github.event.inputs.pr-number }}

You can initiate a call to trigger this event via API:

# Note: replace dynamic values with your relevant data
curl -X POST \
  -H "Accept: application/vnd.github.v3+json" \
  -H "Authorization: token {token}" \
  https://api.github.com/repos/{owner}/{reponame}/actions/workflows/{workflow}/dispatches \
  -d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'

How to upgrade from `2.x` to new `3.x`

Update the action version.
Add the new permissions configuration into your workflow or, instead, you can set the permissions rules on the repository or on the organization.
Uninstall the dependabot-merge-action GitHub App from your repos/orgs.
If you have customized the api-url you can:
- Remove the api-url option from your workflow.
- Turn off the dependabot-merge-action-app application.

Migration example:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # ...

  automerge:
    needs: build
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
    steps:
-     - uses: fastify/[email protected]
+     - uses: fastify/github-action-merge-dependabot@v3

Notes

A GitHub token is automatically provided by Github Actions, which can be accessed using github.token. If you want to provide a token that's not the default one you can used the github-token input.
Make sure to use needs: <jobs> to delay the auto-merging until CI checks (test/build) are passed.
If you want to use GitHub's auto-merge feature but still use this action to approve Pull Requests without merging, use approve-only: true.

Acknowledgements

This project is kindly sponsored by NearForm

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Action

Github Action Merge Dependabot