Skip to main content

Automating Dependabot with GitHub Actions

Examples of how you can use GitHub Actions to automate common Dependabot related tasks.

Who can use this feature?

Users with write access

You can use GitHub Actions to perform automated tasks when Dependabot creates pull requests to update dependencies. You may find this useful if you want to:

  • Ensure that Dependabot pull requests (version updates and security updates) are created with the right data for your work processes, including labels, names, and reviewers.

  • Trigger workflows to send Dependabot pull requests (version updates and security updates) into your review process or to merge automatically.

Note

Your site administrator must set up Dependabot updates for your GitHub Enterprise Server instance before you can use this feature. For more information, see Enabling Dependabot for your enterprise.

You may not be able to enable or disable Dependabot updates if an enterprise owner has set a policy at the enterprise level. For more information, see Enforcing policies for code security and analysis for your enterprise.

About Dependabot and GitHub Actions

Dependabot creates pull requests to keep your dependencies up to date. You can use GitHub Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request.

Dependabot is able to trigger GitHub Actions workflows on its pull requests and comments; however, certain events are treated differently. For more information, see Troubleshooting Dependabot on GitHub Actions.

Here are several common scenarios for pull requests that can be automated using GitHub Actions.

Fetching metadata about a pull request

Most automation requires you to know information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. You can use an action to retrieve information about the dependencies being updated by a pull request generated by Dependabot.

Example:

YAML
name: Dependabot fetch metadata
on: pull_request

permissions:
  pull-requests: write
  issues: write
  repository-projects: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # The following properties are now available:
      #  - steps.metadata.outputs.dependency-names
      #  - steps.metadata.outputs.dependency-type
      #  - steps.metadata.outputs.update-type

For more information, see the dependabot/fetch-metadata repository.

Labeling a pull request

If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign labels based on the metadata provided.

Example that flags all production dependency updates with a label:

YAML
name: Dependabot auto-label
on: pull_request

permissions:
  pull-requests: write
  issues: write
  repository-projects: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Add a label for all production dependencies
        if: steps.metadata.outputs.dependency-type == 'direct:production'
        run: gh pr edit "$PR_URL" --add-label "production"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}

Automatically approving a pull request

You can automatically approve Dependabot pull requests by using the GitHub CLI in a workflow.

Example:

YAML
name: Dependabot auto-approve
on: pull_request

permissions:
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Enabling automerge on a pull request

If you want to allow maintainers to mark certain pull requests for automerge, you can use GitHub's automerge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met.

For more information, see Automatically merging a pull request and Managing a branch protection rule.

You can instead use GitHub Actions and the GitHub CLI. Here is an example that automerges all patch updates to my-dependency:

YAML
name: Dependabot auto-merge
on: pull_request

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Note

If you use status checks to test pull requests, you should enable Require status checks to pass before merging for the target branch for Dependabot pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see Managing a branch protection rule.

Investigating failed workflow runs

If your workflow run fails, check the following:

  • You are running the workflow only when the correct actor triggers it.
  • You are checking out the correct ref for your pull_request.
  • Your secrets are available in Dependabot secrets rather than as GitHub Actions secrets.
  • You have a GITHUB_TOKEN with the correct permissions.

For information on writing and debugging GitHub Actions, see Writing workflows.

For more tips to help resolve issues with workflows, see Troubleshooting Dependabot on GitHub Actions.