How do I automerge dependabot updates (config version 2)?

Question

Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.

My .dependabot/config.yaml did look like:

version: 1
update_configs:
  - package_manager: "python"
    directory: "/"
    update_schedule: "live"
    automerged_updates:
      - match:
          dependency_type: "all"
          update_type: "all"

I've got the following working:

version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily

but I can't seem to add the automerge option again (when checking with the dependabot validator)?

Answer 1

Here is one solution that doesn't require any additional marketplace installations (originally found here). Simply create a new GitHub workflow (e.g. .github/workflows/dependabotautomerge.yml) containing:

name: "Dependabot Automerge - Action"

on:
  pull_request:

jobs:
  worker:
    runs-on: ubuntu-latest

    if: github.actor == 'dependabot[bot]'
    steps:
      - name: automerge
        uses: actions/[email protected]
        with:
          script: |
            github.pullRequests.createReview({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number,
              event: 'APPROVE'
            })
            github.pullRequests.merge({
              owner: context.payload.repository.owner.login,
              repo: context.payload.repository.name,
              pull_number: context.payload.pull_request.number
            })
          github-token: ${{github.token}}

There are also various third-party solutions available on GitHub Marketplace.

Answer 2

Auto-merge was disabled on the Dependabot into GitHub:

Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.

There are some hacks to accomplish this job, you can check GitHub dependabot-core issue #1973 for some ideas.

Answer 3

This is now an officially documented feature. You can approve a Dependabot pull request and set it to auto-merge with a GitHub Actions workflow like…

name: Dependabot auto-approve
on: pull_request_target
    
permissions:
  contents: write
  pull-requests: write
    
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/[email protected]
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Update: CODEOWNERS does allow negation after all

If you use code owners and the branch is protected, you may find this will still wait for code owner review to merge. You can require codeowner review for all but the relevant files with a .github/CODEOWNERS file something like this:

* owner1 owner2 @org/team1
setup.cfg  # setup.cfg is not owned