devops
dev-productivity
software-engineering
View original source
article

Auto-merge Dependabot patch/minor PRs via GitHub workflow

Set up a GitHub Actions workflow to auto-approve and merge Dependabot PRs for semver-patch and semver-minor updates after checks pass, reducing security patching overhead while enforcing CI/CD quality.

Core Workflow for Auto-Approval and Merging

Use this GitHub Actions workflow in .github/workflows/dependabot-auto-merge.yml to automatically handle Dependabot PRs:

name: Dependabot auto-merge

on: pull_request
permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve Dependabot PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Enable auto-merge for Dependabot PRs
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

It triggers on pull requests from dependabot[bot], fetches update metadata, approves the PR using gh pr review --approve, and enables auto-merge with squash for semver-patch or semver-minor updates only. All required status checks (linting, tests) must pass first, as the repo's branch protection rules are respected.

Essential Repository Configurations

  1. In repo settings (e.g., https://github.com/OWNER/REPO/settings), enable "Allow auto-merge" to permit the workflow's gh pr merge --auto command.
  2. Configure blocking status checks for linting, typing, and tests in branch protection rules—Dependabot respects these, preventing merges on failures.
  3. Enable Dependabot via https://github.com/OWNER/REPO/settings/security_analysis; defaults suffice for basic dependency updates.

This setup rolled out across ~12 repos, streamlining security patches without manual intervention.

Trade-offs and Real-World Pressure

Auto-merging cuts patching delays but surfaced gaps like missing tests allowing a flawed merge—use it as motivation to build robust CI/CD rather than a blocker. It skips major version updates (semver-major), avoiding breaking changes, and works best with solid automated checks; weak CI/CD leads to fixes amid failures.

Summarized by x-ai/grok-4.1-fast via openrouter

4522 input / 1713 output tokens in 15185ms

© 2026 Edge