Home

Awesome

dependabot-merge-action-app

ci cd

Fastify application to automatically approve and merge Dependabot pull requests.

Usage

Overview

This application is a companion to the GitHub action github-action-merge-dependabot.

When used in a GitHub workflow, the action invokes this application to delegate approval and merging of the pull request.

The reason why an external application is needed to automate this is because since this change:

  1. the GITHUB_SECRET token provided in all workflows has readonly permissions, preventing the action itself from approving and merging the pull request
  2. no other secrets are provided to the workflow even if configured in the repository, preventing any other approaches relying on personal access tokens or others

How it works

Security

The approach used by this mechanism is secure with some caveats.

By its very nature this approach cann't be 100% secure because a readonly permission is turned into a write permission. On the other hand:

Therefore, the worst that can happen is that:

If you make sure that PR merge permissions require:

Then this mechanism can do little to no harm, in the worst case merging a Dependabot PR you didn't intend to merge.

How to deploy