{"id":20954587,"url":"https://github.com/dersimn/github-actions-dependabot-auto-merge","last_synced_at":"2026-03-14T20:23:30.117Z","repository":{"id":259472198,"uuid":"875266148","full_name":"dersimn/GitHub-Actions-Dependabot-Auto-Merge","owner":"dersimn","description":null,"archived":false,"fork":false,"pushed_at":"2025-02-17T21:36:05.000Z","size":317,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-02-17T22:28:49.711Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dersimn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-19T14:26:57.000Z","updated_at":"2025-02-17T21:36:03.000Z","dependencies_parsed_at":"2024-10-25T20:17:51.529Z","dependency_job_id":"23e7ad41-3a6d-4577-9917-6ad3caefcc00","html_url":"https://github.com/dersimn/GitHub-Actions-Dependabot-Auto-Merge","commit_stats":null,"previous_names":["dersimn/github-actions-dependabot-auto-merge"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dersimn%2FGitHub-Actions-Dependabot-Auto-Merge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dersimn%2FGitHub-Actions-Dependabot-Auto-Merge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dersimn%2FGitHub-Actions-Dependabot-Auto-Merge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dersimn%2FGitHub-Actions-Dependabot-Auto-Merge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dersimn","download_url":"https://codeload.github.com/dersimn/GitHub-Actions-Dependabot-Auto-Merge/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243351860,"owners_count":20276911,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-19T01:15:22.362Z","updated_at":"2025-12-25T21:02:47.765Z","avatar_url":"https://github.com/dersimn.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n## tl;dr:\n\n- Using the `GITHUB_TOKEN` works, __but__ it won't trigger any following Workflows. You can still use this if you don't build any code on GitHub anyways.\n\n- Secret must be set under `Secrets and Variables \u003e Dependabot`\n\n- The created Pull Request is merged _without_ checking if build is passing. To merge only if build is passing, configure a Ruleset for the default branch and enable _Require status checks to pass_.\n\n\n## Findings\n\n- Using the `GITHUB_TOKEN` works, __but__ it won't trigger any following Workflows. You can still use this if you don't build any code on GitHub anyways.\n\n- When using a Personal Access Token you need the permissions:\n    - Fine-grained personal access token:\n        - Contents read/write\n        - Pull-requests: read/write\n        - (basically that's the same that you specify in YAML for `GITHUB_TOKEN`)\n    - Classic Token needs only scope `repo`\n\n- Secret must be set under `Secrets and Variables \u003e Dependabot`:\n\n    ![](docs/dependabot_secrets.png)\n\n    It won't be accessible by the Pull Request when saving under `Secrets and Variables \u003e Actions`. Typical error message is:\n\n    ```\n    github-token is not set! Please add 'github-token: \"${{ secrets.GITHUB_TOKEN }}\"' to your workflow file.\n    ```\n\n- Using Event `pull_request_target` instead gives access to `Secrets and Variables \u003e Actions` variables, **but** read this first:\n\n    - [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/)\n\n- Using \"Ruleset\" with these settings:\n\n    ![](docs/ruleset_target.png)\n    ![](docs/ruleset_status_check.png)\n\n  Ensures that `dummy.yml` Workflow must be successful in order to merge PR.\n\n    - Side Effect: You can't push directly to `master` anymore.\n    - Leaving _Status checks that are required_ empty is like disabling the rule (there seems to be no way of saying _all_ checks must pass).\n    - It is possible to circumvent the checks by hacking `dummy.yml` in the Pull Request (because the YAML within the PR is used to for status check and _not_ the YAML in the current `master` branch).\n\n- When Auto-Merge is enabled:\n\n    ![](docs/auto_merge.png)\n\n  Even a failing PR (because the required Status Checks are failing) will result in a successful Job, even if the PR is not merged into master yet:\n\n    ![](docs/auto_merge_enabled.png)\n\n  You then have to check-out the branch and fix the failing Workflows (pushing to the branch is allowed `dependabot/something`). If you push this back and the Workflows are succeeding, the PR is immediately merged.\n\n- With Auto-Merge disabled the job fails\n\n    ![](docs/auto_merge_disabled.png)\n\n  and fixing it offline and pushing back will not auto-merge, you still habe to click in GitHub PR to merge.\n\n- When having _Require branches to be up to date before merging_ enabled, it is not possible to merge `de-bump/2` here, even if all required steps are succeeding:\n\n    ![](docs/require_up_to_date.png)\n    ![](docs/require_up_to_date_pr.png)\n\n  Clicking the _Update branch_ button causes a merge `master` into `de-bump/2`.\n\n\n## Clean Testing\n\nFor clean testing, re-create the Repository on GitHub when it gets to polluted with Tags and Releases:\n\n    gh repo delete --yes\n    gh repo create --public ${${$(git remote get-url origin)##*/}%.git}\n    gh secret set PERSONAL_ACCESS_TOKEN --body '\u003cTOKEN\u003e' --app dependabot\n\n    git tag | xargs git tag -d\n    git push -u origin master\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdersimn%2Fgithub-actions-dependabot-auto-merge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdersimn%2Fgithub-actions-dependabot-auto-merge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdersimn%2Fgithub-actions-dependabot-auto-merge/lists"}