This content originally appeared on DEV Community and was authored by hidev
Introduction
Dependabot automatically detects dependency updates and creates pull requests, but manually merging each one can be tedious.
Patch updates (security fixes and bug fixes) typically have limited impact, making them safe candidates for automatic merging.
This article explains how to implement a GitHub Actions workflow that automatically merges Dependabot patch updates.
Workflow Overview
The following workflow automatically merges only patch updates (version-update:semver-patch) from Dependabot pull requests:
name: Dependabot auto-merge
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
- ready_for_review
permissions: {}
defaults:
run:
shell: bash
jobs:
dependabot:
runs-on: ubuntu-24.04
if: github.event.pull_request.user.login == 'dependabot[bot]'
permissions:
contents: write
pull-requests: write
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Auto-merge Dependabot patch updates
if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr merge --merge --auto "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Detailed Explanation of Each Step
Trigger Configuration
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
- ready_for_review
-
pull_request_target: Runs in the context of the branch where the pull request was created. This allows proper access to Dependabot's pull requests with the necessary permissions. -
opened: When a pull request is created -
synchronize: When new commits are pushed to the pull request -
reopened: When a closed pull request is reopened -
ready_for_review: When a draft pull request becomes ready for review
Job Condition
if: github.event.pull_request.user.login == 'dependabot[bot]'
This condition ensures the job only runs for pull requests created by Dependabot. It prevents accidental automatic merging of pull requests created by other users.
Permission Settings
permissions:
contents: write
pull-requests: write
-
contents: write: Write access to the repository (required for merging) -
pull-requests: write: Pull request operation permissions (required for merging)
Step 1: Fetch Dependabot Metadata
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
The dependabot/fetch-metadata@v2 action retrieves metadata about Dependabot's pull request. This action outputs information such as:
-
update-type: Type of update (version-update:semver-patch,version-update:semver-minor,version-update:semver-major, etc.) -
dependency-names: Names of the dependencies being updated -
directory: Directory where the update occurred
Step 2: Auto-merge Patch Updates
- name: Auto-merge Dependabot patch updates
if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr merge --merge --auto "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
ifcondition: Only executes when the update type is a patch update (version-update:semver-patch) -
gh pr merge --merge --auto: Uses GitHub CLI to merge the pull request-
--merge: Creates a merge commit to merge -
--auto: Automatically merges once all checks pass
-
Setup Instructions
1. Create the Workflow File
Save the workflow above in .github/workflows/dependabot-auto-merge.yml.
2. Verify Dependabot Configuration
Ensure Dependabot is enabled in dependabot.yml or in your GitHub repository settings.
Notes and Best Practices
Why Only Auto-merge Patch Updates?
- Patch updates (1.0.0 → 1.0.1): Bug fixes and security patches. Safe to auto-merge as they don't contain breaking changes
- Minor updates (1.0.0 → 1.1.0): New features added. May have broader impact, so review is recommended
- Major updates (1.0.0 → 2.0.0): Likely to contain breaking changes. Manual review is essential
Conclusion
By implementing this workflow, you can automatically merge Dependabot patch updates and quickly apply security patches and bug fixes. Patch updates typically don't contain breaking changes, making them safe for automatic merging.
However, we recommend adjusting the auto-merge conditions based on your project's characteristics and team policies. Consider customizing the workflow for critical dependencies by requiring manual reviews or adding additional checks.
This content originally appeared on DEV Community and was authored by hidev
hidev | Sciencx (2025-12-03T00:25:28+00:00) Automatically Merge Dependabot Patch Updates with GitHub Actions. Retrieved from https://www.scien.cx/2025/12/03/automatically-merge-dependabot-patch-updates-with-github-actions/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.