Auto-merge Dependabot PRs workflow (Unidata/siphon)
The Auto-merge Dependabot PRs workflow from Unidata/siphon, explained and optimized by Latchkey.
CI health: B - good
Run this on Latchkey for self-healing, caching, and up to 58% lower cost.
Grade your own workflow free or run it on Latchkey →What it does
This is the Auto-merge Dependabot PRs workflow from the Unidata/siphon repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Auto-merge Dependabot PRs
on:
pull_request_target:
branches: [main]
jobs:
#
# Automatically review dependabot PRs and set them to automerge (on successful checks)
#
Automerge:
environment:
name: PR Backport
runs-on: ubuntu-slim
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Unidata/siphon'
env:
GH_REPO: ${{ github.repository }}
GH_PR: ${{ github.event.pull_request.number }}
permissions:
contents: write
pull-requests: write
steps:
- name: Check Dependabot metadata
uses: dependabot/fetch-metadata@v3
- name: Create App Token
uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Set auto-merge
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh pr merge -R "$GH_REPO" --merge --auto "$GH_PR"
- name: Review PR
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: gh pr review -R "$GH_REPO" --approve "$GH_PR"
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Auto-merge Dependabot PRs on: pull_request_target: branches: [main] jobs: # # Automatically review dependabot PRs and set them to automerge (on successful checks) # Automerge: timeout-minutes: 30 environment: name: PR Backport runs-on: ubuntu-slim if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Unidata/siphon' env: GH_REPO: ${{ github.repository }} GH_PR: ${{ github.event.pull_request.number }} permissions: contents: write pull-requests: write steps: - name: Check Dependabot metadata uses: dependabot/fetch-metadata@v3 - name: Create App Token uses: actions/create-github-app-token@v3 id: app-token with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Set auto-merge env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh pr merge -R "$GH_REPO" --merge --auto "$GH_PR" - name: Review PR env: GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh pr review -R "$GH_REPO" --approve "$GH_PR"
What changed
- Add a job timeout so a hung step cannot burn hours of runner time.
1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.