githubgithub-actionsdependabot

Auto merge dependabot PR after all checks have passed


I want to auto-merge Dependabot PR once all checks(or workflows) on Dependabot PR have been passed.

Currently, I am using this logic to trigger auto-merge action:

on:
  workflow_run:
    workflows: ["Lint and Unit tests"]
    types:
      - completed

Once all checks are passed on the Dependabot PR it triggers the auto-merge workflow but the issue is that it does not work due to a lack of pull_request payload in the workflow.

Errors and warnings on auto-merge workflow: enter image description here


Solution

  • Following workflow does it for us:

    name: Dependabot auto-merge
    on:
      pull_request_target:
        types: [review_requested]
    
    permissions:
      contents: write
      pull-requests: write
      packages: read
    
    jobs:
      dependabot:
        runs-on: ubuntu-latest
        if: ${{ github.actor == 'dependabot[bot]' }}
        steps:
          - name: Dependabot metadata
            id: metadata
            uses: dependabot/fetch-metadata@v1.3.4
            with:
              github-token: "${{ secrets.GITHUB_TOKEN }}"
              skip-commit-verification: true
    
          - name: Checkout repository
            uses: actions/checkout@v3
    
          - name: Approve a PR if not already approved
            run: |
              gh pr checkout "$PR_URL"
                if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
              then
                gh pr review --approve "$PR_URL"
              else
                echo "PR already approved.";
              fi
            env:
              PR_URL: ${{github.event.pull_request.html_url}}
              GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
    
          - name: Enable auto-merge for Dependabot PRs
            if: ${{ contains(github.event.pull_request.title, 'bump')}}
            run: gh pr merge --auto --merge "$PR_URL"
            env:
              PR_URL: ${{github.event.pull_request.html_url}}
              GITHUB_TOKEN: ${{secrets.RELEASE_TOKEN}}
    

    Where RELEASE_TOKEN has extended scopes (workflow, write:packages, admin:org), branch protection is activated (review is required), dependabot is configured to have 'reviewers:' set, auto merge is enabled at org and repo level.