{"id":23613672,"url":"https://github.com/freckle/mergeabot-action","last_synced_at":"2026-02-28T11:07:18.592Z","repository":{"id":149146577,"uuid":"545584542","full_name":"freckle/mergeabot-action","owner":"freckle","description":"Auto-merge Dependabot PRs, after a certain number of days","archived":false,"fork":false,"pushed_at":"2024-12-12T19:56:03.000Z","size":167,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":10,"default_branch":"main","last_synced_at":"2024-12-12T20:39:38.425Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/freckle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-04T16:20:16.000Z","updated_at":"2024-11-19T23:02:11.000Z","dependencies_parsed_at":"2024-12-12T20:32:02.756Z","dependency_job_id":"3c73d4ec-3c8f-49fb-8e3e-dce59a5234bd","html_url":"https://github.com/freckle/mergeabot-action","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freckle%2Fmergeabot-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freckle%2Fmergeabot-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freckle%2Fmergeabot-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freckle%2Fmergeabot-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/freckle","download_url":"https://codeload.github.com/freckle/mergeabot-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":231515571,"owners_count":18388479,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-27T17:18:40.414Z","updated_at":"2026-02-28T11:07:13.547Z","avatar_url":"https://github.com/freckle.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Mergeabot\n\nAuto-merge Dependabot PRs, only after a certain number of days have passed.\n\n## Motivation\n\nUsing out of date dependencies is a Software Supply Chain risk, as\nsecurity-related patches may not be applied in a timely fashion.\n\nDependabot and timely merges of its PRs is a solution to this. Requiring manual\napproval and merge of such PRs is typically busy work. With robust CI and QA\nprocesses, such PRs should be a \"merge on Green\" scenario for your team. Any\nprocess of an Engineer taking an action without thought should be automated.\n\nImmediately merging new versions of dependencies is _also_ a Software Supply\nChain risk, as so-far-un-discovered exploits could exist in very new patches.\n\nAutomatically merging Dependabot PRs _only after some number of days_ (i.e.\nafter a \"quarantine\" period) is one mitigation for this, which this Action\nimplements.\n\n## Events\n\nMergeabot's primary feature is to find Dependabot PRs that have been open for\nyour configured `quarantine-days` and merge them (technically, approve and\nenable auto-merge so that status and review requirements are met):\n\n![Mergeabot example](./screenshots/example.png)\n\n### `schedule`\n\nWe recommend running this once a day, e.g. at midnight UTC, through the\n`schedule` event:\n\n```yaml\non:\n  schedule:\n    - cron: \"0 0 * * *\"\n```\n\n### `pull_request`\n\nOur team uses `CODEOWNERS` and round-robins review-requests. This results in\nfolks being requested to review Dependabot PRs. This is unnecessary and\nundesired; we want to leave these PRs to Mergeabot.\n\nTo ameliorate this, we run Mergeabot on `pull_request` events too:\n\n```yaml\non:\n  schedule:\n    - cron: \"0 0 * * *\"\n\n  pull_request:\n    types: [opened]\n```\n\nMergeabot knows if it's running on a `pull_request` event in a Dependabot PR\nand, if so, leaves a comment on the PR indicating, roughly, \"I got this.\"\n\n![Mergeabot comment on opened event](./screenshots/opened-comment.png)\n\n## Permissions\n\nDependabot PRs use a token with read-only permissions by default, so you'll need\nan explicit `permissions` key to use the above approach.\n\n```yaml\npermissions:\n  contents: write\n  pull-requests: write\n```\n\n**NOTE**: `contents:write` is required because Mergeabot will always do its\nnormal thing of finding other Dependabot PRs and handling them. This may be\nsurprising on PR events, but we find it useful. Patches welcome to make this\nbehavior optional.\n\n## Complete Example\n\n```yaml\nname: Mergeabot\n\non:\n  schedule:\n    - cron: \"0 0 * * *\"\n\n  pull_request:\n    types: [opened]\n\npermissions:\n  contents: write\n  pull-requests: write\n\njobs:\n  mergeabot:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: freckle/mergeabot-action@v2\n```\n\n## Inputs\n\n- `exclude-title-regex`: exclude PRs whose titles match this regular expression\n\n  Dependabot PRs follow the format `Bump {dep} to {version} in /{path}`, so this\n  can be used to exclude PRs of certain dependencies or in certain directories.\n\n  Note that GitHub could change this format at any time. If this happens, you\n  would have `{quarantine-days}` days to notice and update your setting if\n  necessary.\n\n- `quarantine-days`: how many days a PR must be open before it qualifies for\n  auto-merge. Default is 5.\n\n- `strategy`: how to perform the [auto-]merge. Must be `merge`, `rebase`, or\n  `squash`. Default is `rebase`.\n- `remove-reviewers`: remove any requested reviewers (if run on PRs). Default\n  is `true`.\n\nSee [`action.yml`](./action.yml) for other, seldom useful, inputs.\n\n## Outputs\n\nNone.\n\n## Caveats\n\nThis Action really only makes sense if Branch Protection is enabled, Approvals\nare required, and Auto-merge is allowed. That's because it doesn't actually\nmerge PRs, it approves and enables auto-merge. That way, we can leave the\ndetermination that all other PR requirements were satisfied to GitHub, where it\nbelongs.\n\n---\n\n[LICENSE](./LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffreckle%2Fmergeabot-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffreckle%2Fmergeabot-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffreckle%2Fmergeabot-action/lists"}