DEV Community

hidev
hidev

Posted on

Automatically Merge Dependabot Patch Updates with GitHub Actions

#automation #tutorial #github #devops

Introduction

Dependabot automatically detects dependency updates and creates pull requests, but manually merging each one can be tedious.

Patch updates (security fixes and bug fixes) typically have limited impact, making them safe candidates for automatic merging.

This article explains how to implement a GitHub Actions workflow that automatically merges Dependabot patch updates.

Workflow Overview

The following workflow automatically merges only patch updates (version-update:semver-patch) from Dependabot pull requests:

name: Dependabot auto-merge

on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review

permissions: {}

defaults:
  run:
    shell: bash

jobs:
  dependabot:
    runs-on: ubuntu-24.04
    if: github.event.pull_request.user.login == 'dependabot[bot]'
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Fetch Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Auto-merge Dependabot patch updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --merge --auto "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Enter fullscreen mode Exit fullscreen mode

Detailed Explanation of Each Step

Trigger Configuration 

on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review
Enter fullscreen mode Exit fullscreen mode
  • pull_request_target: Runs in the context of the branch where the pull request was created. This allows proper access to Dependabot's pull requests with the necessary permissions.
  • opened: When a pull request is created
  • synchronize: When new commits are pushed to the pull request
  • reopened: When a closed pull request is reopened
  • ready_for_review: When a draft pull request becomes ready for review

Job Condition 

if: github.event.pull_request.user.login == 'dependabot[bot]'
Enter fullscreen mode Exit fullscreen mode

This condition ensures the job only runs for pull requests created by Dependabot. It prevents accidental automatic merging of pull requests created by other users.

Permission Settings 

permissions:
  contents: write
  pull-requests: write
Enter fullscreen mode Exit fullscreen mode
  • contents: write: Write access to the repository (required for merging)
  • pull-requests: write: Pull request operation permissions (required for merging)

Step 1: Fetch Dependabot Metadata 

- name: Fetch Dependabot metadata
  id: metadata
  uses: dependabot/fetch-metadata@v2
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}
Enter fullscreen mode Exit fullscreen mode

The dependabot/fetch-metadata@v2 action retrieves metadata about Dependabot's pull request. This action outputs information such as:

  • update-type: Type of update (version-update:semver-patch, version-update:semver-minor, version-update:semver-major, etc.)
  • dependency-names: Names of the dependencies being updated
  • directory: Directory where the update occurred

Step 2: Auto-merge Patch Updates 

- name: Auto-merge Dependabot patch updates
  if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
  run: gh pr merge --merge --auto "$PR_URL"
  env:
    PR_URL: ${{ github.event.pull_request.html_url }}
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Enter fullscreen mode Exit fullscreen mode
  • if condition: Only executes when the update type is a patch update (version-update:semver-patch)
  • gh pr merge --merge --auto: Uses GitHub CLI to merge the pull request
    • --merge: Creates a merge commit to merge
    • --auto: Automatically merges once all checks pass

Setup Instructions

1. Create the Workflow File

Save the workflow above in .github/workflows/dependabot-auto-merge.yml.

2. Verify Dependabot Configuration

Ensure Dependabot is enabled in dependabot.yml or in your GitHub repository settings.

Notes and Best Practices

Why Only Auto-merge Patch Updates?

  • Patch updates (1.0.0 → 1.0.1): Bug fixes and security patches. Safe to auto-merge as they don't contain breaking changes
  • Minor updates (1.0.0 → 1.1.0): New features added. May have broader impact, so review is recommended
  • Major updates (1.0.0 → 2.0.0): Likely to contain breaking changes. Manual review is essential

Conclusion

By implementing this workflow, you can automatically merge Dependabot patch updates and quickly apply security patches and bug fixes. Patch updates typically don't contain breaking changes, making them safe for automatic merging.

However, we recommend adjusting the auto-merge conditions based on your project's characteristics and team policies. Consider customizing the workflow for critical dependencies by requiring manual reviews or adding additional checks.

Top comments (0)