How do I automerge dependabot updates (config version 2)?
Question:
Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.
My .dependabot/config.yaml did look like:
version: 1
update_configs:
- package_manager: "python"
directory: "/"
update_schedule: "live"
automerged_updates:
- match:
dependency_type: "all"
update_type: "all"
I’ve got the following working:
version: 2
updates:
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
but I can’t seem to add the automerge option again (when checking with the dependabot validator)?
Answers:
Auto-merge was disabled on the Dependabot into GitHub:
Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.
There are some hacks to accomplish this job, you can check GitHub dependabot-core
issue #1973 for some ideas.
Here is one solution that doesn’t require any additional marketplace installations (originally found here). Simply create a new GitHub workflow (e.g. .github/workflows/dependabotautomerge.yml
) containing:
name: "Dependabot Automerge - Action"
on:
pull_request:
jobs:
worker:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: automerge
uses: actions/[email protected]
with:
script: |
github.pullRequests.createReview({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number,
event: 'APPROVE'
})
github.pullRequests.merge({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number
})
github-token: ${{github.token}}
There are also various third-party solutions available on GitHub Marketplace.
This is now an officially documented feature. You can approve a Dependabot pull request and set it to auto-merge with a GitHub Actions workflow like…
name: Dependabot auto-approve
on: pull_request_target
permissions:
contents: write
pull-requests: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/[email protected]
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
Update: CODEOWNERS does allow negation after all
If you use code owners and the branch is protected, you may find this will still wait for code owner review to merge. You can require codeowner review for all but the relevant files with a .github/CODEOWNERS
file something like this:
* owner1 owner2 @org/team1
setup.cfg # setup.cfg is not owned
Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.
My .dependabot/config.yaml did look like:
version: 1
update_configs:
- package_manager: "python"
directory: "/"
update_schedule: "live"
automerged_updates:
- match:
dependency_type: "all"
update_type: "all"
I’ve got the following working:
version: 2
updates:
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
but I can’t seem to add the automerge option again (when checking with the dependabot validator)?
Auto-merge was disabled on the Dependabot into GitHub:
Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.
There are some hacks to accomplish this job, you can check GitHub dependabot-core
issue #1973 for some ideas.
Here is one solution that doesn’t require any additional marketplace installations (originally found here). Simply create a new GitHub workflow (e.g. .github/workflows/dependabotautomerge.yml
) containing:
name: "Dependabot Automerge - Action"
on:
pull_request:
jobs:
worker:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: automerge
uses: actions/[email protected]
with:
script: |
github.pullRequests.createReview({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number,
event: 'APPROVE'
})
github.pullRequests.merge({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number
})
github-token: ${{github.token}}
There are also various third-party solutions available on GitHub Marketplace.
This is now an officially documented feature. You can approve a Dependabot pull request and set it to auto-merge with a GitHub Actions workflow like…
name: Dependabot auto-approve
on: pull_request_target
permissions:
contents: write
pull-requests: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: metadata
uses: dependabot/[email protected]
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Enable auto-merge for Dependabot PRs
if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
Update: CODEOWNERS does allow negation after all
If you use code owners and the branch is protected, you may find this will still wait for code owner review to merge. You can require codeowner review for all but the relevant files with a .github/CODEOWNERS
file something like this:
* owner1 owner2 @org/team1
setup.cfg # setup.cfg is not owned