Github Action Merge Dependabot

This action automatically approves and merges dependabot PRs.

Inputs

github-token

Required A GitHub token. See below for additional information.

exclude

Optional A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not.

approve-only

Optional If true, the PR is only approved but not merged. Defaults to false.

merge-method

Optional The merge method you would like to use (squash, merge, rebase). Default to squash merge.

merge-comment

Optional An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're recieving too much of noise in email and would like to filter mails for PRs that got automatically merged.

target

Optional A flag to only auto-merge updates based on Semantic Versioning. Defaults to any.

Possible options are:

major, premajor, minor, preminor, patch, prepatch, prerelease, any.

For more details on how semantic version difference is calculated please see semver package.

If you set a value other than any, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules.

pr-number

Optional A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a seperate CI provider. See Trigger action from workflow_dispatch event

Usage

Configure this action in your workflows providing the inputs described above. Note that this action requires a GitHub token with additional permissions. You must use the permissions tag to specify the required rules or configure your GitHub account.

The permissions required are:

• pull-requests permission: it is needed to approve PRs.
• contents permission: it is necessary to merge the pull request. You don't need it if you set approve-only: true, see the example below.

If some of the required permissions are missing, the action will fail with the error message:

Error: Resource not accessible by integration

Basic example

name: CI
on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # ...

  automerge:
    needs: build
    runs-on: ubuntu-latest

    permissions:
      pull-requests: write
      contents: write

    steps:
      - uses: fastify/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Excluding packages

permissions:
  pull-requests: write
  contents: write

steps:
  - uses: fastify/[email protected]
    with:
      github-token: ${{ secrets.GITHUB_TOKEN }}
      exclude: 'react,fastify'

Approving without merging

permissions:
  pull-requests: write
steps:
  - uses: fastify/[email protected]
    with:
      github-token: ${{ secrets.GITHUB_TOKEN }}
      approve-only: true

Trigger action from workflow_dispatch event

If you need to trigger this action manually, you can use the workflow_dispatch event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.

When using the workflow_dispatch approach, you will need to send the PR number as part of the input for this action:

name: automerge

on:
  workflow_dispatch:
    inputs:
      pr-number:
        required: true

jobs:
  automerge:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: write
    steps:
      - uses: fastify/[email protected]
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          pr-number: ${{ github.event.inputs.pr-number }}

You can initiate a call to trigger this event via API:

# Note: replace dynamic values with your relevant data
curl -X POST \
  -H "Accept: application/vnd.github.v3+json" \
  -H "Authorization: token {token}" \
  https://api.github.com/repos/{owner}/{reponame}/actions/workflows/{workflow}/dispatches \
  -d '{"ref":"{ref}", "inputs":{ "pr-number": "{number}"}}'

How to upgrade from 2.x to new 3.x

• Update the action version.
• Add the new permissions configuration into your workflow or, instead, you can set the permissions rules on the repository or on the organization.
• Uninstall the dependabot-merge-action GitHub App from your repos/orgs.
• If you have customized the api-url you can:
  • Remove the api-url option from your workflow.
  • Turn off the dependabot-merge-action-app application.

Migration example:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      # ...

  automerge:
    needs: build
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
    steps:
-     - uses: fastify/[email protected]
+     - uses: fastify/github-action-merge-dependabot@v3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Notes

• A GitHub token is automatically provided by Github Actions, which can be accessed using secrets.GITHUB_TOKEN and supplied to the action as an input github-token.
• Only the GitHub native Dependabot integration is supported, the old Dependabot Preview app isn't.
• Make sure to use needs: <jobs> to delay the auto-merging until CI checks (test/build) are passed.
• If you want to use GitHub's auto-merge feature but still use this action to approve Pull Requests without merging, use approve-only: true.

Acknowledgements

This project is kindly sponsored by NearForm