Dependabot opens PR automatically. Most people have configured that part. But then those PRs just sit there until you get around to reviewing and merging them. I recently had 6 open in one of my repositories. None of them were risky. I just didn't feel like doing a review and approving it, and then merging.
If your CI passes and the update is a patch or minor release, there isn't much to review. You're going to merge it. So why not let this happen automatically?
I've added this to two repositories now and it's one of those little things that quietly removes friction from your day.
First, enable auto-merge in your repository
Before the workflow can do anything, you must enable auto-merging in your repository settings. Go to p.e. https://github.com/yourorg-username/your-repo/settings/actions and scroll down to the Pull Requests section and check Allow automatic merging.
This is not specific to Dependabot, but is necessary for it to work. Without it, the gh pr merge --auto
The command in the workflow will fail. In fact, this is what I do to automate the use of dev.to as a headless CMS for my blog.
Automate and automatically merge pull requests using GitHub Actions and GitHub CLI
Nick Taylor ・Nov 6 22
The workflow
Create .github/workflows/auto-merge-dependabot.yml
in your repository:
name: Dependabot Auto Merge PR
in: pull_request
permissions:
content: write
pull requests: write
jobs:
auto merge:
runs on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Approve public relations
run: gh pr review --approve "$PR_URL"
environment:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: enable auto merge
run: gh pr merge --auto --squash "$PR_URL"
environment:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
The if: github.actor == 'dependabot[bot]'
The condition ensures that this only runs on Dependabot PRs, not all incoming PRs.
The two steps do exactly what they say: approve the PR and then enable automatic merging with squash. GitHub handles the actual merge once all required checks are passed.
Below is an example of how it doesn't automatically merge after auto approval because the checks failed.
task (deps-dev): move eslint from 9.39.2 to 10.0.3 #809
Upgrade eslint from 9.39.2 to 10.0.3.
Release Notes
Sourced from eslint releases.
e511b58
solution: update eslint (#20595) (refresh[bot])f4c9cf9
solution: include variable name in useless assignment
message (#20581) (sethhamus)ee9ff31
fix: update dependency minimatch to ^10.2.4 (#20562) (Milos Djermanovic)
9fc31b0
docs: README Update (GitHub Actions Bot)4efaa36
docs: add infobox foreslint-plugin-eslint-comments
(#20570) (DesselBane)23b2759
Docs: Add v10 migration guide link to use docs index (#20577) (Pixel998)80259a9
docs: Remove obsolete eslintrc documentation files (#20472) (Copilot)9b9b4ba
docs: fix typo in documentation without waiting in loop (#20575) (Pixel998)e7d72a7
Docs: TypeScript 5.3 Minimum Supported Version document (#20547) (sethhamus)
ef8fb92
task: update package.json for eslint-config-eslint version (Jenkins)e8f2104
task: updates for version v9.39.4 (Jenkins)5cd1604
refactor: simplify isCombiningCharacter helper (#20524) (Huáng Jùnliàng)70ff1d0
task: eslint-config-eslint requires Node^20.19.0 || ^22.13.0 || >=24
(#20586) (Milos Djermanovic)e32df71
Task: update eslint-plugin-eslint-comments, remove Legacy-peer-deps (#20576) (Milos Djermanovic)53ca6ee
task: disable comments-lint/no-unused-disable
ruler (#20578) (Milos Djermanovic)e121895
ci: pin Node.js 25.6.1 (#20559) (Milos Djermanovic)efc5aef
task: updatestsconfig.json
ineslint-config-eslint
(#20551) (Francisco Trotta)
13eeedb
docs: link rule type explanation to CLI option --fix-type (#20548) (Mike McCready)98cbf6b
Docs: Update Program Rank Change Migration Guide (#20534) (Huáng Jùnliàng)61a2405
docs: add missing semicolon in vars-on-