AI & ML DevOps General Tech Community Best Practices & Tools All News About Contact
advertisement
DevOps

Let Dependabot Merge Its Own PRs

May 2026 8 min read
Let Dependabot Merge Its Own PRs
Back to DevOps

Dependabot opens PR automatically. Most people have configured that part. But then those PRs just sit there until you get around to reviewing and merging them. I recently had 6 open in one of my repositories. None of them were risky. I just didn't feel like doing a review and approving it, and then merging.

If your CI passes and the update is a patch or minor release, there isn't much to review. You're going to merge it. So why not let this happen automatically?

I've added this to two repositories now and it's one of those little things that quietly removes friction from your day.

First, enable auto-merge in your repository

Before the workflow can do anything, you must enable auto-merging in your repository settings. Go to p.e. https://github.com/yourorg-username/your-repo/settings/actions and scroll down to the Pull Requests section and check Allow automatic merging.

This is not specific to Dependabot, but is necessary for it to work. Without it, the gh pr merge --auto

The command in the workflow will fail. In fact, this is what I do to automate the use of dev.to as a headless CMS for my blog.

Automate and automatically merge pull requests using GitHub Actions and GitHub CLI

Nick Taylor ・Nov 6 22

The workflow

Create .github/workflows/auto-merge-dependabot.yml

in your repository:

name: Dependabot Auto Merge PR

in: pull_request

permissions:

content: write

pull requests: write

jobs:

auto merge:

runs on: ubuntu-latest

if: github.actor == 'dependabot[bot]'

steps:

- name: Approve public relations

run: gh pr review --approve "$PR_URL"

environment:

PR_URL: ${{ github.event.pull_request.html_url }}

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: enable auto merge

run: gh pr merge --auto --squash "$PR_URL"

environment:

PR_URL: ${{ github.event.pull_request.html_url }}

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The if: github.actor == 'dependabot[bot]'

The condition ensures that this only runs on Dependabot PRs, not all incoming PRs.

The two steps do exactly what they say: approve the PR and then enable automatic merging with squash. GitHub handles the actual merge once all required checks are passed.

Below is an example of how it doesn't automatically merge after auto approval because the checks failed.

task (deps-dev): move eslint from 9.39.2 to 10.0.3 #809

Upgrade eslint from 9.39.2 to 10.0.3.

Release Notes

Sourced from eslint releases.

e511b58

solution: update eslint (#20595) (refresh[bot])f4c9cf9

solution: include variable name in useless assignment

message (#20581) (sethhamus)ee9ff31

fix: update dependency minimatch to ^10.2.4 (#20562) (Milos Djermanovic)

9fc31b0

docs: README Update (GitHub Actions Bot)4efaa36

docs: add infobox foreslint-plugin-eslint-comments

(#20570) (DesselBane)23b2759

Docs: Add v10 migration guide link to use docs index (#20577) (Pixel998)80259a9

docs: Remove obsolete eslintrc documentation files (#20472) (Copilot)9b9b4ba

docs: fix typo in documentation without waiting in loop (#20575) (Pixel998)e7d72a7

Docs: TypeScript 5.3 Minimum Supported Version document (#20547) (sethhamus)

ef8fb92

task: update package.json for eslint-config-eslint version (Jenkins)e8f2104

task: updates for version v9.39.4 (Jenkins)5cd1604

refactor: simplify isCombiningCharacter helper (#20524) (Huáng Jùnliàng)70ff1d0

task: eslint-config-eslint requires Node^20.19.0 || ^22.13.0 || >=24

(#20586) (Milos Djermanovic)e32df71

Task: update eslint-plugin-eslint-comments, remove Legacy-peer-deps (#20576) (Milos Djermanovic)53ca6ee

task: disable comments-lint/no-unused-disable

ruler (#20578) (Milos Djermanovic)e121895

ci: pin Node.js 25.6.1 (#20559) (Milos Djermanovic)efc5aef

task: updatestsconfig.json

ineslint-config-eslint

(#20551) (Francisco Trotta)

13eeedb

docs: link rule type explanation to CLI option --fix-type (#20548) (Mike McCready)98cbf6b

Docs: Update Program Rank Change Migration Guide (#20534) (Huáng Jùnliàng)61a2405

docs: add missing semicolon in vars-on-

Related Coverage

DevOps

Decisions, Decisions -- Thoughts on making architectural decisions

DevOps

i built a social platform where everything vanishes after 24 hours