Automatically merging Dependabot security pull requests using GitHub Actions
Dependabot is a tool for automated dependency updates. It creates pull requests for each dependency update, and GitHub uses it for security updates. The problem is you still need to merge these pull requests. Using GitHub Actions, we can merge pull requests from Dependabot automatically.
To do that, create a new workflow file, .github/workflows/dependabot.yml:
name: 'Dependabot Automerge'
on: pull_request
jobs:
worker:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- uses: actions/github-script@v3
with:
script: |
github.pulls.createReview({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number,
event: 'APPROVE'
})
github.pulls.merge({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number,
merge_method: 'squash'
})This will approve and merge all pull requests from Dependabot bot.
I’ve also created an Mrm task to add this workflow with a single command: npx mrm dependabot.
Based on the article by Toufik Airane.