Auto-merge Dependabot PR

This post goes over how to auto-merge Dependabot PR.

Prerequisite

Create a workflow that runs on pull_request_target and has the following permissions:

# .github/workflows/auto-merge-dependabot-pr.yml
on: pull_request_target
permissions:
  contents: write
  pull-requests: write

Auto-Merge

Create a job that checks if the user is Dependabot and auto-merges the pull request with GitHub CLI:

jobs:
  auto-merge-dependabot-pr:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Auto-merge Dependabot PR
        run: gh pr merge --auto --merge ${{ github.event.pull_request.html_url }}
        env:
          GITHUB_TOKEN: ${{ github.token }}

Make sure to allow auto-merge in your GitHub repository settings or else you will get an error.

You can restrict merging to only pull requests that has deps-dev in the title:

 - name: Auto-merge Dependabot PR
+  if: contains(github.event.pull_request.title, 'deps-dev')
   run: gh pr merge --auto --merge ${{ github.event.pull_request.html_url }}

Approve

If you enabled the branch protection that requires at least 1 approval before merging, then make the bot approve the PR:

- name: Approve Dependabot PR
  run: gh pr review --approve ${{ github.event.pull_request.html_url }}
  env:
    GITHUB_TOKEN: ${{ github.token }}

Workflow

See the final workflow:

# .github/workflows/auto-merge-dependabot-pr.yml
name: Auto-merge Dependabot PR
on: pull_request_target

permissions:
  contents: write
  pull-requests: write

jobs:
  auto-merge-dependabot-pr:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    env:
      PR_URL: ${{ github.event.pull_request.html_url }}
      GITHUB_TOKEN: ${{ github.token }}

    steps:
      - name: Approve Dependabot PR
        run: gh pr review --approve $PR_URL

      - name: Auto-merge Dependabot PR
        if: contains(github.event.pull_request.title, 'deps-dev')
        run: gh pr merge --auto --merge $PR_URL