GitHub Action
Github Action Merge Dependabot
This action automatically approves and merges dependabot PRs.
⚠️ UPGRADE NEEDEDVersion v2.0.0 will stop working on 1st August 2021. If you are using version v2.0.0, you must upgrade to the latest version.
- install the GitHub App on the repositories or organization where you want to use this action. Using a GitHub App is necessary since this change GitHub introduced which limits the permissions of the provided GITHUB_TOKEN and the availability of secrets in Dependabot pull requests. The source code of the GitHub App is open source and hosted on Google Cloud Platform. You can also host your own version of the app and customize the
api-url
input to point to your hosted instance. - configure this action in your workflows providing the inputs described below
Required A GitHub token. See below for additional information.
Optional An array of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not.
Optional If true
, the PR is only approved but not merged. Defaults to false
.
Optional The merge method you would like to use (squash, merge, rebase). Default to squash
merge.
Optional An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're recieving too much of noise in email and would like to filter mails for PRs that got automatically merged.
Optional A custom url where the external API which is delegated the task of approving and merging responds.
Optional A flag to only auto-merge updates based on Semantic Versioning. Default to major
merge. Possible options are:
major, premajor, minor, preminor, patch, prepatch, or prerelease
For more details on how semantic version difference calculated please see semver package
name: CI
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
# ...
automerge:
needs: build
runs-on: ubuntu-latest
steps:
- uses: fastify/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: fastify/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
exclude: ['react']
steps:
- uses: fastify/[email protected]
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
approve-only: true
- A GitHub token is automatically provided by Github Actions, which can be accessed using
secrets.GITHUB_TOKEN
and supplied to the action as an inputgithub-token
. - Only the GitHub native Dependabot integration is supported, the old Dependabot Preview app isn't.
- Make sure to use
needs: <jobs>
to delay the auto-merging until CI checks (test/build) are passed. - If you want to use GitHub's auto-merge feature but still use this action to approve Pull Requests without merging, use
approve-only: true
.