How to Auto-Merge Dependabot PRs After Tests Pass
Enabling auto-merge tells GitHub to merge a Dependabot PR the moment its required checks are green, so the branch protection rules, not the bot, decide when it lands.
Turn on auto-merge for the PR with gh pr merge --auto from a workflow triggered on pull_request. Auto-merge waits for every required status check and review, so your test suite gates the merge. Restrict which updates qualify with the dependabot/fetch-metadata action.
Steps
- Require your CI checks in branch protection (this is what makes tests block the merge).
- Add a workflow on
pull_requestthat runs only forgithub.actor == 'dependabot[bot]'. - Use
dependabot/fetch-metadatato read the update type. - Call
gh pr merge --autoonly for the update types you trust.
Auto-merge workflow
.github/workflows/dependabot-automerge.yml
name: Dependabot auto-merge
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
automerge:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- uses: dependabot/fetch-metadata@v2
id: meta
- name: Enable auto-merge for patch and minor
if: steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor'
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Gotchas
- Auto-merge does nothing safe without required status checks; add your test job to branch protection first so a red build blocks the merge.
- Exclude
version-update:semver-majorfrom the allow list; majors carry breaking changes and deserve human review. - The workflow needs
pull-requests: writeand the repository must have auto-merge enabled in settings.
Related guides
How to Handle Failing Dependency Update PRsKeep broken dependency bumps out of main by requiring your test suite as a status check, so Dependabot and Re…
How to Use Allow and Ignore Rules in DependabotControl which dependencies Dependabot touches with allow and ignore rules, pinning a package to a major line…