Skip to content
Latchkey

Auto-merge Dependabot PRs workflow (Unidata/siphon)

The Auto-merge Dependabot PRs workflow from Unidata/siphon, explained and optimized by Latchkey.

B

CI health: B - good

Run this on Latchkey for self-healing, caching, and up to 58% lower cost.

Grade your own workflow free or run it on Latchkey →
Source: Unidata/siphon.github/workflows/automerge-dependabot.ymlLicense BSD-3-ClauseView source

What it does

This is the Auto-merge Dependabot PRs workflow from the Unidata/siphon repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Auto-merge Dependabot PRs

on:
  pull_request_target:
    branches: [main]

jobs:
  #
  # Automatically review dependabot PRs and set them to automerge (on successful checks)
  #
  Automerge:
    environment:
      name: PR Backport
    runs-on: ubuntu-slim
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Unidata/siphon'
    env:
      GH_REPO: ${{ github.repository }}
      GH_PR: ${{ github.event.pull_request.number }}

    permissions:
      contents: write
      pull-requests: write

    steps:
    - name: Check Dependabot metadata
      uses: dependabot/fetch-metadata@v3

    - name: Create App Token
      uses: actions/create-github-app-token@v3
      id: app-token
      with:
        app-id: ${{ vars.APP_ID }}
        private-key: ${{ secrets.APP_PRIVATE_KEY }}

    - name: Set auto-merge
      env:
        GH_TOKEN: ${{ steps.app-token.outputs.token }}
      run: gh pr merge -R "$GH_REPO" --merge --auto "$GH_PR"

    - name: Review PR
      env:
        GH_TOKEN: ${{ steps.app-token.outputs.token }}
      run: gh pr review -R "$GH_REPO" --approve "$GH_PR"

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Auto-merge Dependabot PRs
 
on:
  pull_request_target:
    branches: [main]
 
jobs:
  #
  # Automatically review dependabot PRs and set them to automerge (on successful checks)
  #
  Automerge:
    timeout-minutes: 30
    environment:
      name: PR Backport
    runs-on: ubuntu-slim
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Unidata/siphon'
    env:
      GH_REPO: ${{ github.repository }}
      GH_PR: ${{ github.event.pull_request.number }}
 
    permissions:
      contents: write
      pull-requests: write
 
    steps:
    - name: Check Dependabot metadata
      uses: dependabot/fetch-metadata@v3
 
    - name: Create App Token
      uses: actions/create-github-app-token@v3
      id: app-token
      with:
        app-id: ${{ vars.APP_ID }}
        private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
    - name: Set auto-merge
      env:
        GH_TOKEN: ${{ steps.app-token.outputs.token }}
      run: gh pr merge -R "$GH_REPO" --merge --auto "$GH_PR"
 
    - name: Review PR
      env:
        GH_TOKEN: ${{ steps.app-token.outputs.token }}
      run: gh pr review -R "$GH_REPO" --approve "$GH_PR"
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow