Skip to content
Latchkey

How to Auto-Merge Dependabot PRs After Tests Pass

Enabling auto-merge tells GitHub to merge a Dependabot PR the moment its required checks are green, so the branch protection rules, not the bot, decide when it lands.

Turn on auto-merge for the PR with gh pr merge --auto from a workflow triggered on pull_request. Auto-merge waits for every required status check and review, so your test suite gates the merge. Restrict which updates qualify with the dependabot/fetch-metadata action.

Steps

  • Require your CI checks in branch protection (this is what makes tests block the merge).
  • Add a workflow on pull_request that runs only for github.actor == 'dependabot[bot]'.
  • Use dependabot/fetch-metadata to read the update type.
  • Call gh pr merge --auto only for the update types you trust.

Auto-merge workflow

.github/workflows/dependabot-automerge.yml
name: Dependabot auto-merge
on: pull_request
permissions:
  contents: write
  pull-requests: write
jobs:
  automerge:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - uses: dependabot/fetch-metadata@v2
        id: meta
      - name: Enable auto-merge for patch and minor
        if: steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor'
        run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Gotchas

  • Auto-merge does nothing safe without required status checks; add your test job to branch protection first so a red build blocks the merge.
  • Exclude version-update:semver-major from the allow list; majors carry breaking changes and deserve human review.
  • The workflow needs pull-requests: write and the repository must have auto-merge enabled in settings.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →