{"id":13524205,"url":"https://github.com/fastify/github-action-merge-dependabot","last_synced_at":"2025-05-14T12:08:39.689Z","repository":{"id":36960329,"uuid":"311993621","full_name":"fastify/github-action-merge-dependabot","owner":"fastify","description":"This action automatically approves and merges dependabot PRs.","archived":false,"fork":false,"pushed_at":"2024-10-21T11:21:25.000Z","size":2974,"stargazers_count":160,"open_issues_count":14,"forks_count":35,"subscribers_count":16,"default_branch":"main","last_synced_at":"2024-10-29T14:46:47.447Z","etag":null,"topics":["dependabot","pull-requests"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fastify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"fastify","open_collective":"fastify"}},"created_at":"2020-11-11T14:23:33.000Z","updated_at":"2024-10-21T11:21:27.000Z","dependencies_parsed_at":"2023-01-05T05:32:20.897Z","dependency_job_id":"9d8698b9-1ae1-46ee-985b-5f5190945e27","html_url":"https://github.com/fastify/github-action-merge-dependabot","commit_stats":{"total_commits":471,"total_committers":36,"mean_commits":"13.083333333333334","dds":0.3036093418259024,"last_synced_commit":"eaaf768bce80287e787b240974130acc5edcc800"},"previous_names":[],"tags_count":71,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fgithub-action-merge-dependabot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fgithub-action-merge-dependabot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fgithub-action-merge-dependabot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fastify%2Fgithub-action-merge-dependabot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fastify","download_url":"https://codeload.github.com/fastify/github-action-merge-dependabot/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248345267,"owners_count":21088244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependabot","pull-requests"],"created_at":"2024-08-01T06:01:08.016Z","updated_at":"2025-04-11T05:06:10.826Z","avatar_url":"https://github.com/fastify.png","language":"JavaScript","readme":"# Github Action Merge Dependabot\n\nThis action automatically approves and merges dependabot PRs.\n\n## Usage\n\nConfigure this action in your workflows providing the inputs described below.\nNote that this action requires a GitHub token with additional permissions. You must use the [`permissions`](https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions) tag to specify the required rules or configure your [GitHub account](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/).\n\nThe permissions required are:\n\n- [`pull-requests`](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#pull-requests): it is needed to approve PRs.\n- [`contents`](https://docs.github.com/en/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#contents): it is necessary to merge the pull request. You don't need it if you set `approve-only: true`, see [Approving without merging](#approving-without-merging) example below.\n\nIf some of the required permissions are missing, the action will fail with the error message:\n\n```\nError: Resource not accessible by integration\n```\n\n## Inputs\n\n| input | required | default | description |\n| -------------------------- | -------- | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `github-token` | No | `${{github.token}}` | A GitHub token. |\n| `exclude` | No | | A comma or semicolon separated value of packages that you don't want to auto-merge and would like to manually review to decide whether to upgrade or not. |\n| `approve-only` | No | `false` | If `true`, the PR is only approved but not merged. |\n| `merge-method` | No | `squash` | The merge method you would like to use (squash, merge, rebase). |\n| `merge-comment` | No | `''` | An arbitrary message that you'd like to comment on the PR after it gets auto-merged. This is only useful when you're receiving too much of noise in email and would like to filter mails for PRs that got automatically merged. |\n| `use-github-auto-merge` | No | `false` | If `true`, the PR is marked as auto-merge and will be merged by GitHub when status checks are satisfied.\u003cbr /\u003e\u003cbr /\u003e_NOTE_: This feature only works when all of the following conditions are met.\u003cbr /\u003e- The repository enables auto-merge. \u003cbr /\u003e- The pull request base must have a branch protection rule. \u003cbr /\u003e- The pull request's status checks are not yet satisfied.\u003cbr /\u003e\u003c/br\u003eRefer to [the official document](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) about GitHub auto-merge. |\n| `target` | No | `any` | A flag to only auto-merge updates based on Semantic Versioning.\u003cbr /\u003ePossible options are: `major, premajor, minor, preminor, patch, prepatch, prerelease, any`.\u003cbr /\u003e\u003cbr /\u003eThe value of this flag allows for updates for all the matching versions **and lower** with the respect for priority. This means, for example, if the `target` is set to `major` and the update is made to `minor` version the auto-merge will be triggered.\u003cbr /\u003e\u003cbr /\u003eFor more details on how semantic version difference is calculated please see [semver](https://www.npmjs.com/package/semver) package.\u003cbr /\u003e\u003cbr /\u003eIf you set a value other than `any`, PRs that are not semantic version compliant are skipped. An example of a non-semantic version is a commit hash when using git submodules. |\n| `target-development` | No | | Same as `target` but specifies semver for `development` dependencies only. If present, then it overrides the value in `target` for `development` dependencies. |\n| `target-production` | No | | Same as `target` but specifies semver for `production` dependencies only. If present, then it overrides the value in `target` for `production` dependencies. |\n| `target-indirect` | No | | Same as `target` but specifies semver for indirect dependency updates only. If present, then it overrides the value in `target` for indirect dependency updates. |\n| `pr-number` | No | | A pull request number, only required if triggered from a workflow_dispatch event. Typically this would be triggered by a script running in a separate CI provider. See [Trigger action from workflow_dispatch event](#trigger-action-from-workflow_dispatch-event) example. |\n| `skip-commit-verification` | No | `false` | If `true`, then the action will not expect the commits to have a verification signature. It is required to set this to `true` in GitHub Enterprise Server. |\n| `skip-verification` | No | `false` | If true, the action will not validate the user or the commit verification status |\n\n## Output\n\n| outputs | Description |\n| ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| merge_status | The result status of the merge. It can be one of the following: `approved`, `merged`, `auto_merge`, `merge_failed`, `skipped:commit_verification_failed`, `skipped:not_a_dependabot_pr`, `skipped:cannot_update_major`, `skipped:bump_higher_than_target`, `skipped:packaged_excluded` |\n\n## Examples\n\n### Basic example\n\n```yml\nname: CI\non:\n push:\n branches:\n - main\n pull_request:\n\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n # ...\n\n automerge:\n needs: build\n runs-on: ubuntu-latest\n\n permissions:\n pull-requests: write\n contents: write\n\n steps:\n - uses: fastify/github-action-merge-dependabot@v3\n```\n\n### Excluding packages\n\n```yml\npermissions:\n pull-requests: write\n contents: write\n\nsteps:\n - uses: fastify/github-action-merge-dependabot@v3\n with:\n exclude: 'react,fastify'\n```\n\n### Approving without merging\n\n```yml\npermissions:\n pull-requests: write\nsteps:\n - uses: fastify/github-action-merge-dependabot@v3\n with:\n approve-only: true\n```\n\n### Specifying target versions\n\n#### Specifying target for all packages\n\n```yml\nsteps:\n - uses: fastify/github-action-merge-dependabot@v3\n with:\n target: 'minor'\n```\n\n#### Specifying target for development and production packages separately\n\n```yml\nsteps:\n - uses: fastify/github-action-merge-dependabot@v3\n with:\n target-development: 'major'\n target-production: 'minor'\n```\n\n### Trigger action from workflow_dispatch event\n\nIf you need to trigger this action manually, you can use the [`workflow_dispatch`](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch) event. A use case might be that your CI runs on a seperate provider, so you would like to run this action as a result of a successful CI run.\n\nWhen using the `workflow_dispatch` approach, you will need to send the PR number as part of the input for this action:\n\n```yml\nname: automerge\n\non:\n workflow_dispatch:\n inputs:\n pr-number:\n required: true\n\njobs:\n automerge:\n runs-on: ubuntu-latest\n permissions:\n pull-requests: write\n contents: write\n steps:\n - uses: fastify/github-action-merge-dependabot@v3\n with:\n pr-number: ${{ github.event.inputs.pr-number }}\n```\n\nYou can initiate a call to trigger this event via [API](https://docs.github.com/en/rest/reference/actions/#create-a-workflow-dispatch-event):\n\n```bash\n# Note: replace dynamic values with your relevant data\ncurl -X POST \\\n -H \"Accept: application/vnd.github.v3+json\" \\\n -H \"Authorization: token {token}\" \\\n https://api.github.com/repos/{owner}/{reponame}/actions/workflows/{workflow}/dispatches \\\n -d '{\"ref\":\"{ref}\", \"inputs\":{ \"pr-number\": \"{number}\"}}'\n```\n\n## How to upgrade from `2.x` to new `3.x`\n\n- Update the action version.\n- Add the new `permissions` configuration into your workflow or, instead, you can set the permissions rules on [the repository](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) or on [the organization](https://docs.github.com/en/enterprise-server@3.3/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise).\n- Uninstall the [dependabot-merge-action](https://github.com/apps/dependabot-merge-action) GitHub App from your repos/orgs.\n- If you have customized the `api-url` you can:\n - Remove the `api-url` option from your workflow.\n - Turn off the [`dependabot-merge-action-app`](https://github.com/fastify/dependabot-merge-action-app/) application.\n\nMigration example:\n\n```diff\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n # ...\n\n automerge:\n needs: build\n runs-on: ubuntu-latest\n+ permissions:\n+ pull-requests: write\n+ contents: write\n steps:\n- - uses: fastify/github-action-merge-dependabot@v2.1.1\n+ - uses: fastify/github-action-merge-dependabot@v3\n```\n\n## Notes\n\n- A GitHub token is automatically provided by Github Actions, which can be accessed using `github.token`. If you want to provide a token that's not the default one you can used the `github-token` input.\n- Make sure to use `needs: \u003cjobs\u003e` to delay the auto-merging until CI checks (test/build) are passed.\n- If you want to use GitHub's [auto-merge](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request) feature but still use this action to approve Pull Requests without merging, use `approve-only: true`.\n\n## Acknowledgements\n\nThis project is kindly sponsored by [NearForm](https://nearform.com)\n","funding_links":["https://github.com/sponsors/fastify","https://opencollective.com/fastify"],"categories":["JavaScript"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastify%2Fgithub-action-merge-dependabot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffastify%2Fgithub-action-merge-dependabot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffastify%2Fgithub-action-merge-dependabot/lists"}