Adding Dependabot to GitHub Actions
Let Dependabot open dependency-update PRs and auto-merge the safe ones in CI.
Dependabot is configured by a dependabot.yml file, not a workflow - it opens update PRs on a schedule. You pair it with a GitHub Actions workflow that auto-approves and merges patch/minor updates once CI passes, so routine bumps do not pile up.
What you need
- A .github/dependabot.yml declaring package-ecosystems and a schedule.
- Dependabot enabled in repo security settings.
- A workflow with pull_request_target and the gh CLI for auto-merge.
The config
Tell Dependabot what to update and how often.
.github/dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: weeklyAuto-merge safe updates
Approve and enable auto-merge for patch/minor Dependabot PRs.
.github/workflows/automerge.yml
on: pull_request_target
permissions:
contents: write
pull-requests: write
jobs:
automerge:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Common gotchas
- Dependabot PRs run with a read-only token by default - auto-merge needs pull_request_target.
- Auto-merging major versions is risky; gate on the dependabot metadata action to skip them.
- A wave of update PRs each consumes CI minutes; cheaper managed runners (Latchkey) keep that churn affordable.
Key takeaways
- Dependabot is driven by dependabot.yml, not a workflow.
- Auto-merge needs pull_request_target and write permissions.
- Gate auto-merge to patch/minor to avoid breaking majors.
Related guides
Adding Snyk to GitHub ActionsScan dependencies for vulnerabilities with Snyk in GitHub Actions, set a severity threshold, and upload SARIF…
Running npm audit in GitHub ActionsGate your Node CI on npm audit in GitHub Actions: choose an audit level, handle transitive noise, and avoid f…
Adding OSV-Scanner to GitHub ActionsScan lockfiles against the OSV database with Google OSV-Scanner in GitHub Actions using the reusable workflow…