Home

Awesome

GitHub Action: Dependabot Auto Merge

Automatically merge Dependabot PRs when version comparison is within range.

license release

Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.

Usage

name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          github-token: ${{ secrets.mytoken }}

The action will only merge PRs whose checks (CI/CD) pass.

Examples

Minimal setup:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a patch (default behavior):

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      target: patch
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a minor:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      target: minor
      github-token: ${{ secrets.mytoken }}

Using a configuration file:

.github/workflows/auto-merge.yml
steps:
  - uses: actions/checkout@v2
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      github-token: ${{ secrets.mytoken }}
.github/auto-merge.yml
- match:
    dependency_type: all
    update_type: "semver:minor" # includes patch updates!

Inputs

inputrequireddefaultdescription
github-tokengithub.tokenThe GitHub token used to merge the pull-request
config.github/auto-merge.ymlPath to configuration file (relative to root)
targetpatchThe version comparison target (major, minor, patch)
commandmergeThe command to pass to Dependabot
botNamedependabotThe bot to tag in approve/comment message.
approvetrueAuto-approve pull-requests

Token Scope

The GitHub token is a Personal Access Token with the following scopes:

The token MUST be created from a user with push permission to the repository.

see reference for user owned repos and for org owned repos

Configuration file syntax

Using the configuration file (specified with config input), you have the option to provide a more fine-grained configuration. The following example configuration file merges

- match:
    dependency_name: aws-sdk
    update_type: semver:minor

- match:
    dependency_type: development
    update_type: semver:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: security:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: semver:patch

Match Properties

propertyrequiredsupported values
dependency_namefull name of dependency, or a regex string
dependency_typeall, production, development
update_typeall, security:*, semver:*

update_type can specify security match or semver match with the syntax: ${type}:${match}, e.g.

To allow prereleases, the corresponding prepatch, preminor and premajor types are also supported

Defaults

By default, if no configuration file is present in the repo, the action will assume the following:

- match:
    dependency_type: all
    update_type: semver:${TARGET}

Where $TARGET is the target value from the action Inputs

The syntax is based on the legacy dependaBot v1 config format. However, in_range is not supported yet.

Exceptions and Edge Cases

  1. Parsing of version ranges is not currently supported
<!-- -->
Update stone requirement from ==1.* to ==3.*
requirements: update sphinx-autodoc-typehints requirement from <=1.11.0 to <1.12.0
Update rake requirement from ~> 10.4 to ~> 13.0

2. Parsing of non semver numbering is not currently supported

<!-- -->
Bump actions/cache from v2.0 to v2.1.2
chore(deps): bump docker/build-push-action from v1 to v2

3. Sometimes Dependabot does not include the "from" version, so version comparison logic is impossible:

<!-- -->
Update actions/setup-python requirement to v2.1.4
Update actions/cache requirement to v2.1.2

if your config is anything other than update_type: all, or update_type: semver:all the action will fallback to manual merge, since there is no way to compare version ranges for merging.


Author: Ahmad Nassri • Twitter: @AhmadNassri