This action automatically approves and merges dependabot PRs.
Optional A GitHub token. See below for additional information.
Optional A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not.
Optional If true
, the PR is only approved but not merged. Defaults to false
.
Optional The merge method you would like to use (squash, merge, rebase). Default to squash
merge.
Optional An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're recieving too much of noise in email and would like to filter mails for PRs that got automatically merged.
Optional If true
, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied. Default to false
.
NOTE This feature only works when all of the following conditions are met.
- The repository enables auto-merge.
- The pull request base must have a branch protection rule.
- The pull request's status checks are not yet satisfied.
Refer to the official document about GitHub auto-merge.
Optional A flag to only auto-merge updates based on Semantic Versioning. Defaults to any
.
Possible options are:
major, premajor, minor, preminor, patch, prepatch, prerelease, any
.
For more details on how semantic version difference is calculated please see semver package.
If you set a value other than any
, PRs that are not semantic version compliant are skipped.
An example of a non-semantic version is a commit hash when using git submodules.
Optional A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a seperate CI provider. See Trigger action from workflow_dispatch event
Optional If true, then the action will not expect the commits to have a verification signature. It is required to set this to true in GitHub Enterprise Server.
Configure this action in your workflows providing the inputs described above.
Note that this action requires a GitHub token with additional permissions. You must use the permissions
tag to specify the required rules or configure your GitHub account.
The permissions required are:
pull-requests
permission: it is needed to approve PRs.contents
permission: it is necessary to merge the pull request. You don't need it if you setapprove-only: true
, see the example below.
If some of the required permissions are missing, the action will fail with the error message:
Error: Resource not accessible by integration
name: CI
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-latest
steps:
# ...
automerge:
needs: build
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
permissions:
pull-requests: write
contents: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
exclude: 'react,fastify'
permissions:
pull-requests: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
approve-only: true
If you need to trigger this action manually, you can use the workflow_dispatch
event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.
When using the workflow_dispatch
approach, you will need to send the PR number as part of the input for this action:
name: automerge
on:
workflow_dispatch:
inputs:
pr-number:
required: true
jobs:
automerge:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: write
steps:
- uses: fastify/github-action-merge-dependabot@v3
with:
pr-number: ${{ github.event.inputs.pr-number }}
You can initiate a call to trigger this event via API:
# Note: replace dynamic values with your relevant data
curl -X POST \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token {token}" \
https://api.github.com/repos/{owner}/{reponame}/actions/workflows/{workflow}/dispatches \
-d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'
- Update the action version.
- Add the new
permissions
configuration into your workflow or, instead, you can set the permissions rules on the repository or on the organization. - Uninstall the dependabot-merge-action GitHub App from your repos/orgs.
- If you have customized the
api-url
you can:- Remove the
api-url
option from your workflow. - Turn off the
dependabot-merge-action-app
application.
- Remove the
Migration example:
jobs:
build:
runs-on: ubuntu-latest
steps:
# ...
automerge:
needs: build
runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ contents: write
steps:
- - uses: fastify/[email protected]
+ - uses: fastify/github-action-merge-dependabot@v3
- A GitHub token is automatically provided by Github Actions, which can be accessed using
github.token
and supplied to the action as an inputgithub-token
. - Only the GitHub native Dependabot integration is supported, the old Dependabot Preview app isn't.
- Make sure to use
needs: <jobs>
to delay the auto-merging until CI checks (test/build) are passed. - If you want to use GitHub's auto-merge feature but still use this action to approve Pull Requests without merging, use
approve-only: true
.
This project is kindly sponsored by NearForm