How to Auto-Merge Dependabot PRs in GitHub Actions
Reading Dependabot metadata lets you auto-merge only the low-risk version bumps.
Detect the actor is Dependabot, fetch update metadata, and enable auto-merge for patch and minor updates once checks pass.
Steps
- Guard the job on
github.actor == 'dependabot[bot]'. - Read the bump type with
dependabot/fetch-metadata. - Call
gh pr merge --autofor patch and minor updates.
Workflow
.github/workflows/automerge.yml
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
automerge:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- id: meta
uses: dependabot/fetch-metadata@v2
- if: steps.meta.outputs.update-type != 'version-update:semver-major'
run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Gotchas
- Auto-merge only completes once required status checks pass and branch protection allows it.
- Keep major bumps manual; they often carry breaking changes.
Related guides
How to Post a Slack Message on Failure in GitHub ActionsSend a Slack notification when a GitHub Actions workflow fails by adding a step guarded with if failure() tha…
How to Comment a Preview URL on a PR in GitHub ActionsPost a preview deployment URL as a sticky comment on a pull request in GitHub Actions, updating the same comm…