Skip to content
Latchkey

How to Auto-Merge Dependabot PRs in GitHub Actions

Reading Dependabot metadata lets you auto-merge only the low-risk version bumps.

Detect the actor is Dependabot, fetch update metadata, and enable auto-merge for patch and minor updates once checks pass.

Steps

  • Guard the job on github.actor == 'dependabot[bot]'.
  • Read the bump type with dependabot/fetch-metadata.
  • Call gh pr merge --auto for patch and minor updates.

Workflow

.github/workflows/automerge.yml
on: pull_request
permissions:
  contents: write
  pull-requests: write
jobs:
  automerge:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - id: meta
        uses: dependabot/fetch-metadata@v2
      - if: steps.meta.outputs.update-type != 'version-update:semver-major'
        run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Gotchas

  • Auto-merge only completes once required status checks pass and branch protection allows it.
  • Keep major bumps manual; they often carry breaking changes.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →