DEV Community

Cover image for Let Dependabot Merge Its Own PRs
Nick Taylor
Nick Taylor Subscriber

Posted on • Originally published at nickyt.co

Let Dependabot Merge Its Own PRs

#devops #github #githubactions #cicd

Dependabot opens PRs automatically. That part most people have set up. But then those PRs just sit there until you get around to reviewing and merging them. I had 6 open across one of my repos recently. None of them were risky. I just didn't feel like giving a review and approving, then merging.

If your CI passes and the update is a patch or minor version bump, there's not much to review. You're going to merge it. So why not let it happen automatically?

I've added this to two repos now and it's one of those small things that quietly removes friction from your day.

First, enable auto-merge on your repo

Before the workflow can do anything, you need to allow auto-merge in your repository settings. Go to e.g. https://github.com/yourorg-username/your-repo/settings/actions and scroll down to the Pull Requests section, and check Allow auto-merge.

allow auto-merge in your repository settings

This isn't Dependabot-specific, but it is required for this to work. Without it, the gh pr merge --auto command in the workflow will fail. In fact this is what I do to automate using dev.to as a headless CMS for my blog!

nickytonline

Automate and Auto-Merge Pull Requests using GitHub Actions and the GitHub CLI

Nick Taylor ・ Nov 6 '22

#github #githubcli #githubactions #git

The workflow

Create .github/workflows/auto-merge-dependabot.yml in your repo:

name: Auto-merge Dependabot PRs

on: pull_request

permissions:
  contents: write
  pull-requests: write

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Approve PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Enable auto-merge
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Enter fullscreen mode Exit fullscreen mode

The if: github.actor == 'dependabot[bot]' condition makes sure this only runs on Dependabot PRs, not every PR that comes in.

The two steps do exactly what they say: approve the PR, then enable auto-merge with squash. GitHub handles the actual merge once all your required checks pass.

Here's an example of it not auto-merging after auto-approval because checks failed.

chore(deps-dev): bump eslint from 9.39.2 to 10.0.3 #809

dependabot[bot] avatar
dependabot[bot] posted on

Bumps eslint from 9.39.2 to 10.0.3.

Release notes

Sourced from eslint's releases.

v10.0.3

Bug Fixes

  • e511b58 fix: update eslint (#20595) (renovate[bot])
  • f4c9cf9 fix: include variable name in no-useless-assignment message (#20581) (sethamus)
  • ee9ff31 fix: update dependency minimatch to ^10.2.4 (#20562) (Milos Djermanovic)

Documentation

  • 9fc31b0 docs: Update README (GitHub Actions Bot)
  • 4efaa36 docs: add info box for eslint-plugin-eslint-comments (#20570) (DesselBane)
  • 23b2759 docs: add v10 migration guide link to Use docs index (#20577) (Pixel998)
  • 80259a9 docs: Remove deprecated eslintrc documentation files (#20472) (Copilot)
  • 9b9b4ba docs: fix typo in no-await-in-loop documentation (#20575) (Pixel998)
  • e7d72a7 docs: document TypeScript 5.3 minimum supported version (#20547) (sethamus)

Chores

  • ef8fb92 chore: package.json update for eslint-config-eslint release (Jenkins)
  • e8f2104 chore: updates for v9.39.4 release (Jenkins)
  • 5cd1604 refactor: simplify isCombiningCharacter helper (#20524) (Huáng Jùnliàng)
  • 70ff1d0 chore: eslint-config-eslint require Node ^20.19.0 || ^22.13.0 || >=24 (#20586) (Milos Djermanovic)
  • e32df71 chore: update eslint-plugin-eslint-comments, remove legacy-peer-deps (#20576) (Milos Djermanovic)
  • 53ca6ee chore: disable eslint-comments/no-unused-disable rule (#20578) (Milos Djermanovic)
  • e121895 ci: pin Node.js 25.6.1 (#20559) (Milos Djermanovic)
  • efc5aef chore: update tsconfig.json in eslint-config-eslint (#20551) (Francesco Trotta)

v10.0.2

Bug Fixes

  • 2b72361 fix: update ajv to 6.14.0 to address security vulnerabilities (#20537) (루밀LuMir)

Documentation

  • 13eeedb docs: link rule type explanation to CLI option --fix-type (#20548) (Mike McCready)
  • 98cbf6b docs: update migration guide per Program range change (#20534) (Huáng Jùnliàng)
  • 61a2405 docs: add missing semicolon in vars-on-top rule example (#20533) (Abilash)

Chores

  • 951223b chore: update dependency @​eslint/eslintrc to ^3.3.4 (#20553) (renovate[bot])
  • 6aa1afe chore: update dependency eslint-plugin-jsdoc to ^62.7.0 (#20536) (Milos Djermanovic)

v10.0.1

Bug Fixes

  • c87d5bd fix: update eslint (#20531) (renovate[bot])
  • d841001 fix: update minimatch to 10.2.1 to address security vulnerabilities (#20519) (루밀LuMir)
  • 04c2147 fix: update error message for unused suppressions (#20496) (fnx)
  • 38b089c fix: update dependency @​eslint/config-array to ^0.23.1 (#20484) (renovate[bot])

Documentation

  • 5b3dbce docs: add AI acknowledgement section to templates (#20431) (루밀LuMir)
  • 6f23076 docs: toggle nav in no-JS mode (#20476) (Tanuj Kanti)
  • b69cfb3 docs: Update README (GitHub Actions Bot)

Chores

... (truncated)

Commits
  • bfce7ea 10.0.3
  • d44ced8 Build: changelog update for 10.0.3
  • e511b58 fix: update eslint (#20595)
  • ef8fb92 chore: package.json update for eslint-config-eslint release
  • e8f2104 chore: updates for v9.39.4 release
  • 5cd1604 refactor: simplify isCombiningCharacter helper (#20524)
  • 9fc31b0 docs: Update README
  • 70ff1d0 chore: eslint-config-eslint require Node ^20.19.0 || ^22.13.0 || >=24 (#20586)
  • f4c9cf9 fix: include variable name in no-useless-assignment message (#20581)
  • 4efaa36 docs: add info box for eslint-plugin-eslint-comments (#20570)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
View on GitHub

Note: GITHUB_TOKEN is automatically available in every GitHub Actions workflow, no setup needed on your end.

What it looks like

Once it's set up and a Dependabot PR comes in, you'll see the github-actions bot approve the PR and enable auto-merge. The PR then waits for your required checks to complete and merges itself when everything is green.

github-actions bot approving a PR

A note on safety

This setup is only as safe as your CI. If you don't have required checks configured, the PR can auto-merge the moment the workflow approves it. At a minimum you want a build check required, tests if you have them. Branch protection rules still apply. If a required check fails, the PR won't merge. The workflow isn't bypassing anything, it's just handling the approval and queuing up the merge for you.

Being more selective

This workflow approves and enables auto-merge on every Dependabot PR regardless of whether it's a patch, minor, or major update. If you want to be more selective, you can use the dependabot/fetch-metadata action to check the update type and only proceed for patch and minor updates. The GitHub docs on automating Dependabot cover that in more detail.

If you want to see a PR that went through this whole flow check out the PR below.

chore(deps): bump rollup from 4.54.0 to 4.59.0 #790

dependabot[bot] avatar
dependabot[bot] posted on

Bumps rollup from 4.54.0 to 4.59.0.

Release notes

Sourced from rollup's releases.

v4.59.0

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

v4.58.0

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

v4.57.1

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Changelog

Sourced from rollup's changelog.

4.59.0

2026-02-22

Features

  • Throw when the generated bundle contains paths that would leave the output directory (#6276)

Pull Requests

4.58.0

2026-02-20

Features

  • Also support __NO_SIDE_EFFECTS__ annotation before variable declarations declaring function expressions (#6272)

Pull Requests

4.57.1

2026-01-30

Bug Fixes

  • Fix heap corruption issue in Windows (#6251)
  • Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)

Pull Requests

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
View on GitHub

This has taken a whole category of busywork off my plate for my personal site and my Clawspace project.

GitHub logo nickytonline / nickytdotco

Source code for my web site nickyt.co

Netlify Status

Nick Taylor's Personal Website

This is the source code for nickyt.co, Nick Taylor's personal website and blog.

Tech Stack

  • Astro - Modern web framework for building fast, content-focused websites
  • React - For interactive UI components
  • MDX - For blog posts and content with embedded components
  • Tailwind CSS - Utility-first CSS framework
  • TypeScript - Type-safe JavaScript
  • Expressive Code - Syntax highlighting for code blocks
  • Netlify - Hosting and deployment platform
  • Node.js 22+ - Runtime environment

Terminal commands

Install the dependencies first

npm install
Enter fullscreen mode Exit fullscreen mode

Run in dev mode

npm run dev
Enter fullscreen mode Exit fullscreen mode

Build a production version of the site

npm run build
Enter fullscreen mode Exit fullscreen mode

Test the production site locally

npm run preview
Enter fullscreen mode Exit fullscreen mode

Styling

  • Tailwind v4 is configured in tailwind.config.cjs and postcss.config.cjs.
  • Global styles are loaded from src/styles/tailwind.css, which imports src/styles/legacy.css for bespoke rules.

Licensing

This project contains two separate licenses:

  1. Code License: The website's source code (in the project root and…

View on GitHub

GitHub logo nickytonline / clawspace

Clawspace is a browser-based file explorer/editor for an OpenClaw workspace.

Clawspace

Nano banana lobster at a desk

Clawspace is a browser-based file explorer/editor for an OpenClaw workspace.

It gives you:

  • File and directory browsing
  • Monaco editor for text files
  • Save/revert/copy actions
  • Auto-format on blur (supported file types)
  • Basic hardening for writes (path checks, blocked files, audit log)

Why this exists

OpenClaw users often want a fast, authenticated UI to inspect and edit workspace files without opening SSH/terminal sessions.

Clawspace is designed to run on your LAN, or behind a trusted auth proxy (for example Pomerium + OpenClaw trusted-proxy mode).

Install

git clone https://github.com/nickytonline/clawspace
cd clawspace
npm install
Enter fullscreen mode Exit fullscreen mode

Quick start

npm run build
npm run clawspace:serve
Enter fullscreen mode Exit fullscreen mode

Default port is 6789.

Development

npm run dev
Enter fullscreen mode Exit fullscreen mode

Configuration

Clawspace uses the parent of the app directory as the workspace root by default. If you install it elsewhere, set CLAWSPACE_ROOT to an absolute path.

# .env (see .env.example)
CLAWSPACE_ROOT=/absolute/path/to/workspace
CLAWSPACE_IGNORE=".pnpm,dist,logs"
SHOW_INTERNAL_CLAW_FILES=false
Enter fullscreen mode Exit fullscreen mode

Environment variables

Variable Default Description
CLAWSPACE_ROOT
View on GitHub

For work projects there would probably be some push back on this potentially, but if you have a really great CI/CD pipeline with checks, definitely consider doing this or at least having a discussion with your team.

If you want to stay in touch, all my socials are on nickyt.online.

Until the next one!

Top comments (5)

Collapse
 
wilddog64 profile image
chengkai • Edited

Good pattern. One gap worth calling out: Dependabot PRs that bump GitHub Actions
themselves are different from dependency updates — CI passing doesn't validate that the
action change is safe, it just means your tests still run. I scope auto-merge to
update-type: semver:patch for Actions and manually review minor/major bumps.

Also pair this with dependabot.yml grouping. Without it you get 15 individual PRs on
Monday morning — I've seen the same pattern with AI agents that aren't scoped properly:
lots of small uncoordinated commits that each look fine individually but create a mess
to untangle. Grouping is the fix in both cases.

Collapse
 
theycallmeswift profile image
Swift

Bias to action over busywork. 🔥

Collapse
 
klement_gunndu profile image
klement Gunndu

Neat setup. Worth noting you can scope it further with a Dependabot grouping config — batch all patch bumps into one PR so you get one auto-merge instead of six.

Collapse
 
nickytonline profile image
Nick Taylor

Thanks for reading! Indint go into that as that’s more Dependabit specific settings, but it is a good point. 😎

Collapse
 
vandana_platform profile image
vandana.platform

This is a great approach to removing friction from dependency updates.

One thing I've been thinking about while designing CI/CD platform systems is how much operational overhead comes from manual review steps that don't actually add much value for low-risk updates like patch bumps.

Automating Dependabot merges when CI passes seems like a good example of turning CI/CD pipelines into more self-operating systems rather than manual approval chains.

Curious if you've experimented with restricting auto-merge only to patch updates while requiring manual review for minor or major version bumps.