GitHub Action
Dependabot Auto Merge Action
Automatically merge Dependabot PRs when version comparison is within range.
Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.
name: auto-merge
on:
pull_request:
jobs:
auto-merge:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: buluma/dependabot-auto-merge-action@v2
with:
target: minor
github-token: ${{ secrets.mytoken }}
The action will only merge PRs whose checks (CI/CD) pass.
Minimal setup:
steps:
- uses: buluma/dependabot-auto-merge-action@v2
with:
github-token: ${{ secrets.mytoken }}
Only merge if the changed dependency version is a patch
(default behavior):
steps:
- uses: buluma/dependabot-auto-merge-action@v2
with:
target: patch
github-token: ${{ secrets.mytoken }}
Only merge if the changed dependency version is a minor
:
steps:
- uses: buluma/dependabot-auto-merge-action@v2
with:
target: minor
github-token: ${{ secrets.mytoken }}
Using a configuration file:
steps:
- uses: actions/checkout@v2
- uses: buluma/dependabot-auto-merge-action@v2
with:
github-token: ${{ secrets.mytoken }}
- match:
dependency_type: all
update_type: "semver:minor" # includes patch updates!
input | required | default | description |
---|---|---|---|
github-token |
✔ | github.token |
The GitHub token used to merge the pull-request |
config |
✔ | .github/auto-merge.yml |
Path to configuration file (relative to root) |
target |
❌ | patch |
The version comparison target (major, minor, patch) |
command |
❌ | merge |
The command to pass to Dependabot |
botName |
❌ | dependabot |
The bot to tag in approve/comment message. |
approve |
❌ | true |
Auto-approve pull-requests |
The GitHub token is a Personal Access Token with the following scopes:
repo
for private repositoriespublic_repo
for public repositories
The token MUST be created from a user with push
permission to the repository.
ℹ see reference for user owned repos and for org owned repos
Using the configuration file (specified with config
input), you have the option to provide a more fine-grained configuration. The following example configuration file merges
- minor updates for
aws-sdk
- minor development dependency updates
- patch production dependency updates
- minor security-critical production dependency updates
- match:
dependency_name: aws-sdk
update_type: semver:minor
- match:
dependency_type: development
update_type: semver:minor # includes patch updates!
- match:
dependency_type: production
update_type: security:minor # includes patch updates!
- match:
dependency_type: production
update_type: semver:patch
property | required | supported values |
---|---|---|
dependency_name |
❌ | full name of dependency, or a regex string |
dependency_type |
❌ | all , production , development |
update_type |
✔ | all , security:* , semver:* |
update_type
can specify security match or semver match with the syntax:${type}:${match}
, e.g.
security:patch
SemVer patch update that fixes a known security vulnerabilitysemver:patch
SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3semver:minor
SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1To allow
prereleases
, the correspondingprepatch
,preminor
andpremajor
types are also supported
By default, if no configuration file is present in the repo, the action will assume the following:
- match:
dependency_type: all
update_type: semver:${TARGET}
Where
$TARGET
is thetarget
value from the action Inputs
The syntax is based on the legacy dependaBot v1 config format.
However, in_range
is not supported yet.
- Parsing of version ranges is not currently supported
Update stone requirement from ==1.* to ==3.*
requirements: update sphinx-autodoc-typehints requirement from <=1.11.0 to <1.12.0
Update rake requirement from ~> 10.4 to ~> 13.0
- Parsing of non semver numbering is not currently supported
Bump actions/cache from v2.0 to v2.1.2
chore(deps): bump docker/build-push-action from v1 to v2
- Sometimes Dependabot does not include the "from" version, so version comparison logic is impossible:
Update actions/setup-python requirement to v2.1.4
Update actions/cache requirement to v2.1.2
if your config is anything other than update_type: all
, or update_type: semver:all
the action will fallback to manual merge, since there is no way to compare version ranges for merging.