iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
🤖

How to Fully Automate Dependabot: From Setup to Auto-Merge

に公開
GitHub
GitHub Actions
CI
automation
Dependabot
tech

Eyecatch

Introduction

Updating dependency packages is a hassle, isn't it?

Dependabot will create PRs automatically once introduced, but are you still manually merging them?

In this article, I will explain how to fully automate the process from introducing Dependabot to automatically merging once CI passes.

Overview

Dependabot → PR Creation → CI Execution → Success → Auto-merge

                             Failure → Manual Handling

Once the configuration is complete, the following will occur automatically:

  1. Dependabot checks dependencies every Monday.
  2. If there are updates, a PR is automatically created.
  3. CI is executed.
  4. If CI succeeds, it is automatically merged.

Step 1: Enable Dependabot

Create .github/dependabot.yml.

For Go Projects

version: 2
updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "19:00"
      timezone: "Asia/Tokyo"
    commit-message:
      prefix: "deps"
    labels:
      - "dependencies"
      - "go"
    open-pull-requests-limit: 5

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "19:00"
      timezone: "Asia/Tokyo"
    commit-message:
      prefix: "ci"
    labels:
      - "dependencies"
      - "github-actions"

For Node.js Projects

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "19:00"
      timezone: "Asia/Tokyo"
    commit-message:
      prefix: "deps"
    labels:
      - "dependencies"
      - "npm"
    open-pull-requests-limit: 5

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "19:00"
      timezone: "Asia/Tokyo"
    commit-message:
      prefix: "ci"
    labels:
      - "dependencies"
      - "github-actions"

Key Configuration Points

Configuration Item Description
interval Select from daily, weekly, monthly
day / time Day and time for update checks
timezone Timezone
commit-message.prefix Prefix for commit messages
labels Labels to attach to PRs
open-pull-requests-limit Limit on the number of open PRs

Step 2: Prepare a CI Workflow

A CI pipeline is required as a prerequisite for automatic merging.

Example of .github/workflows/ci.yml:

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod

      - name: Test
        run: go test ./...

      - name: Build
        run: go build ./...

Step 3: Set Up Automatic Merging

This is the key point. We will create a workflow to automatically merge Dependabot PRs once the CI succeeds.

.github/workflows/auto-merge-deps.yml:

name: Auto-merge Dependabot PRs

on:
  workflow_run:
    workflows: ["CI"]
    types: [completed]

permissions:
  contents: write
  pull-requests: write

jobs:
  auto-merge:
    if: >
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.event == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Get PR
        id: pr
        uses: actions/github-script@v7
        with:
          script: |
            const prs = context.payload.workflow_run.pull_requests;
            if (!prs || prs.length === 0) {
              core.setFailed('No PR found for workflow_run');
              return;
            }
            const pr = prs[0];
            core.setOutput('url', pr.html_url);
            core.setOutput('number', pr.number);

      - name: Ensure Dependabot PR
        uses: actions/github-script@v7
        with:
          script: |
            const prNumber = ${{ steps.pr.outputs.number }};
            const { data: pr } = await github.rest.pulls.get({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: prNumber,
            });
            if (pr.user.login !== 'dependabot[bot]') {
              core.setFailed(`Not a Dependabot PR: ${pr.user.login}`);
            }

      - name: Enable auto-merge
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ steps.pr.outputs.url }}
          GH_TOKEN: ${{ secrets.DEPENDABOT_AUTO_MERGE_TOKEN }}

Why use workflow_run?

When trying to merge directly in a pull_request event, you cannot access secrets due to Dependabot's security restrictions. By using workflow_run, you can execute the merge process in a different context after the CI is completed.

Step 4: Set Up a Personal Access Token

A dedicated token is required for automatic merging.

Creating the Token

  1. GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens
  2. Click "Generate new token"
  3. Set the following:
    • Token name — e.g., dependabot-auto-merge
    • Repository access — Select the target repository
    • Permissions
      • Contents: Read and write
      • Pull requests: Read and write

Registering to Secrets

  1. Repository Settings → Secrets and variables → Actions
  2. Click "New repository secret"
  3. Name: DEPENDABOT_AUTO_MERGE_TOKEN
  4. Value: The token you created

Step 5: Configuring Branch Protection Rules (Optional)

To operate more safely, we recommend setting up branch protection rules.

  1. Repository Settings → Branches
  2. "Add branch protection rule"
  3. Configure the following:
    • Branch name pattern — main
    • Require status checks to pass before merging — Enable
    • Require branches to be up to date before merging — Enable
    • Status checks that are required — test (CI job name)

With this, PRs that do not pass CI will not be merged.

Verification

After completing the settings, you can verify the operation with the following flow:

  1. Check the PR created by Dependabot
  2. Confirm that the CI is executed
  3. Confirm that it is merged automatically after the CI succeeds

It is successful if logs like the following appear in the PR timeline:

dependabot[bot] enabled auto-merge (squash)
github-actions[bot] merged commit xxx into main

Troubleshooting

If automatic merging does not occur

  1. Check token permissions — Read/Write for Contents and Pull requests are required.
  2. Check branch protection rules — Is "Allow auto-merge" enabled?
  3. Check the CI name — Have you specified the correct workflow name in workflow_run.workflows?

If Dependabot PR is not created

  1. Check the path and file name of .github/dependabot.yml.
  2. Check for errors in Insights → Dependency graph → Dependabot of the repository.

Summary

  • Dependabot — Automatically create dependency update PRs with .github/dependabot.yml
  • Auto-merge — Merge after CI success using the workflow_run event
  • Token — Set up securely with a Fine-grained token

Once configured, dependency updates are almost entirely automated. You won't miss security updates anymore, so please give it a try.

Discussion