Skip to content
Latchkey

Adding Dependabot to GitHub Actions

Let Dependabot open dependency-update PRs and auto-merge the safe ones in CI.

Dependabot is configured by a dependabot.yml file, not a workflow - it opens update PRs on a schedule. You pair it with a GitHub Actions workflow that auto-approves and merges patch/minor updates once CI passes, so routine bumps do not pile up.

What you need

  • A .github/dependabot.yml declaring package-ecosystems and a schedule.
  • Dependabot enabled in repo security settings.
  • A workflow with pull_request_target and the gh CLI for auto-merge.

The config

Tell Dependabot what to update and how often.

.github/dependabot.yml
version: 2
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: weekly

Auto-merge safe updates

Approve and enable auto-merge for patch/minor Dependabot PRs.

.github/workflows/automerge.yml
on: pull_request_target
permissions:
  contents: write
  pull-requests: write
jobs:
  automerge:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - run: gh pr merge --auto --squash "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Common gotchas

  • Dependabot PRs run with a read-only token by default - auto-merge needs pull_request_target.
  • Auto-merging major versions is risky; gate on the dependabot metadata action to skip them.
  • A wave of update PRs each consumes CI minutes; cheaper managed runners (Latchkey) keep that churn affordable.

Key takeaways

  • Dependabot is driven by dependabot.yml, not a workflow.
  • Auto-merge needs pull_request_target and write permissions.
  • Gate auto-merge to patch/minor to avoid breaking majors.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →