Skip to content

Automatically merge Dependabot PRs when version comparison is within range

License

Notifications You must be signed in to change notification settings

ahmadnassri/action-dependabot-auto-merge

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Repository files navigation

GitHub Action: Dependabot Auto Merge

Automatically merge Dependabot PRs when version comparison is within range.

license release

Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.

Usage

name: auto-merge

on:
  pull_request:

jobs:
  auto-merge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
        with:
          target: minor
          github-token: ${{ secrets.mytoken }}

The action will only merge PRs whose checks (CI/CD) pass.

Examples

Minimal setup:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a patch (default behavior):

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      target: patch
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a minor:

steps:
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      target: minor
      github-token: ${{ secrets.mytoken }}

Using a configuration file:

.github/workflows/auto-merge.yml
steps:
  - uses: actions/checkout@v2
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
    with:
      github-token: ${{ secrets.mytoken }}
.github/auto-merge.yml
- match:
    dependency_type: all
    update_type: "semver:minor" # includes patch updates!

Inputs

input required default description
github-token github.token The GitHub token used to merge the pull-request
config .github/auto-merge.yml Path to configuration file (relative to root)
target patch The version comparison target (major, minor, patch)
command merge The command to pass to Dependabot
botName dependabot The bot to tag in approve/comment message.
approve true Auto-approve pull-requests

Token Scope

The GitHub token is a Personal Access Token with the following scopes:

  • repo for private repositories
  • public_repo for public repositories

The token MUST be created from a user with push permission to the repository.

see reference for user owned repos and for org owned repos

Configuration file syntax

Using the configuration file (specified with config input), you have the option to provide a more fine-grained configuration. The following example configuration file merges

  • minor updates for aws-sdk
  • minor development dependency updates
  • patch production dependency updates
  • minor security-critical production dependency updates
- match:
    dependency_name: aws-sdk
    update_type: semver:minor

- match:
    dependency_type: development
    update_type: semver:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: security:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: semver:patch

Match Properties

property required supported values
dependency_name full name of dependency, or a regex string
dependency_type all, production, development
update_type all, security:*, semver:*

update_type can specify security match or semver match with the syntax: ${type}:${match}, e.g.

  • security:patch
    SemVer patch update that fixes a known security vulnerability

  • semver:patch
    SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3

  • semver:minor
    SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1

To allow prereleases, the corresponding prepatch, preminor and premajor types are also supported

Defaults

By default, if no configuration file is present in the repo, the action will assume the following:

- match:
    dependency_type: all
    update_type: semver:${TARGET}

Where $TARGET is the target value from the action Inputs

The syntax is based on the legacy dependaBot v1 config format. However, in_range is not supported yet.

Exceptions and Edge Cases

  1. Parsing of version ranges is not currently supported
Update stone requirement from ==1.* to ==3.*
requirements: update sphinx-autodoc-typehints requirement from <=1.11.0 to <1.12.0
Update rake requirement from ~> 10.4 to ~> 13.0
  1. Parsing of non semver numbering is not currently supported
Bump actions/cache from v2.0 to v2.1.2
chore(deps): bump docker/build-push-action from v1 to v2
  1. Sometimes Dependabot does not include the "from" version, so version comparison logic is impossible:
Update actions/setup-python requirement to v2.1.4
Update actions/cache requirement to v2.1.2

if your config is anything other than update_type: all, or update_type: semver:all the action will fallback to manual merge, since there is no way to compare version ranges for merging.


Author: Ahmad Nassri • Twitter: @AhmadNassri