GitHub Action
Dependabot Auto Merge
Automatically merge Dependabot PRs when version comparison is within range.
Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.
name: auto-merge
on:
pull_request:
jobs:
auto-merge:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
target: minor
github-token: ${{ secrets.mytoken }}The action will only merge PRs whose checks (CI/CD) pass.
Minimal setup:
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
github-token: ${{ secrets.mytoken }}Only merge if the changed dependency version is a patch (default behavior):
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
target: patch
github-token: ${{ secrets.mytoken }}Only merge if the changed dependency version is a minor:
steps:
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
target: minor
github-token: ${{ secrets.mytoken }}Using a configuration file:
steps:
- uses: actions/checkout@v2
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
github-token: ${{ secrets.mytoken }}- match:
dependency_type: all
update_type: "semver:minor" # includes patch updates!| input | required | default | description |
|---|---|---|---|
github-token |
✔ | github.token |
The GitHub token used to merge the pull-request |
target |
❌ | patch |
The version comparison target (major, minor, patch) |
command |
❌ | merge |
The command to pass to Dependabot |
approve |
❌ | true |
Auto-approve pull-requests |
The GitHub token is a Personal Access Token with the following scopes:
repofor private repositoriespublic_repofor public repositories
The token MUST be created from a user with push permission to the repository.
ℹ see reference for user owned repos and for org owned repos
Using the configuration file .github/auto-merge.yml, you have the option to provide a more fine-grained configuration. The following example configuration file merges
- minor updates for
aws-sdk - minor development dependency updates
- patch production dependency updates
- minor security-critical production dependency updates
- match:
dependency_name: aws-sdk
update_type: semver:minor
- match:
dependency_type: development
update_type: semver:minor # includes patch updates!
- match:
dependency_type: production
update_type: security:minor # includes patch updates!
- match:
dependency_type: production
update_type: semver:patch| property | required | supported values |
|---|---|---|
dependency_name |
❌ | full name of dependency, or a regex string |
dependency_type |
❌ | all, production, development |
update_type |
✔ | all, security:*, semver:* |
update_typecan specify security match or semver match with the syntax:${type}:${match}, e.g.
security:patch
SemVer patch update that fixes a known security vulnerabilitysemver:patch
SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3semver:minor
SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1To allow
prereleases, the correspondingprepatch,preminorandpremajortypes are also supported
By default, if no configuration file is present in the repo, the action will assume the following:
- match:
dependency_type: all
update_type: semver:${TARGET}Where
$TARGETis thetargetvalue from the action Inputs
The syntax is based on the legacy dependaBot v1 config format.
However, in_range is not supported yet.