DEV Community: h6o

Automatically Merge Dependabot Patch Updates with GitHub Actions

h6o — Wed, 03 Dec 2025 00:25:28 +0000

Introduction

Dependabot automatically detects dependency updates and creates pull requests, but manually merging each one can be tedious.

Patch updates (security fixes and bug fixes) typically have limited impact, making them safe candidates for automatic merging.

This article explains how to implement a GitHub Actions workflow that automatically merges Dependabot patch updates.

Workflow Overview

The following workflow automatically merges only patch updates (version-update:semver-patch) from Dependabot pull requests:

name: Dependabot auto-merge

on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review

permissions: {}

defaults:
  run:
    shell: bash

jobs:
  dependabot:
    runs-on: ubuntu-24.04
    if: github.event.pull_request.user.login == 'dependabot[bot]'
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Fetch Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Auto-merge Dependabot patch updates
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --merge --auto "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Detailed Explanation of Each Step

Trigger Configuration

on:
  pull_request_target:
    types:
      - opened
      - synchronize
      - reopened
      - ready_for_review

pull_request_target: Runs in the context of the branch where the pull request was created. This allows proper access to Dependabot's pull requests with the necessary permissions.
opened: When a pull request is created
synchronize: When new commits are pushed to the pull request
reopened: When a closed pull request is reopened
ready_for_review: When a draft pull request becomes ready for review

Job Condition

if: github.event.pull_request.user.login == 'dependabot[bot]'

This condition ensures the job only runs for pull requests created by Dependabot. It prevents accidental automatic merging of pull requests created by other users.

Permission Settings

permissions:
  contents: write
  pull-requests: write

contents: write: Write access to the repository (required for merging)
pull-requests: write: Pull request operation permissions (required for merging)

Step 1: Fetch Dependabot Metadata

- name: Fetch Dependabot metadata
  id: metadata
  uses: dependabot/fetch-metadata@v2
  with:
    github-token: ${{ secrets.GITHUB_TOKEN }}

The dependabot/fetch-metadata@v2 action retrieves metadata about Dependabot's pull request. This action outputs information such as:

update-type: Type of update (version-update:semver-patch, version-update:semver-minor, version-update:semver-major, etc.)
dependency-names: Names of the dependencies being updated
directory: Directory where the update occurred

Step 2: Auto-merge Patch Updates

- name: Auto-merge Dependabot patch updates
  if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
  run: gh pr merge --merge --auto "$PR_URL"
  env:
    PR_URL: ${{ github.event.pull_request.html_url }}
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

if condition: Only executes when the update type is a patch update (version-update:semver-patch)
gh pr merge --merge --auto: Uses GitHub CLI to merge the pull request
- --merge: Creates a merge commit to merge
- --auto: Automatically merges once all checks pass

Setup Instructions

1. Create the Workflow File

Save the workflow above in .github/workflows/dependabot-auto-merge.yml.

2. Verify Dependabot Configuration

Ensure Dependabot is enabled in dependabot.yml or in your GitHub repository settings.

Notes and Best Practices

Why Only Auto-merge Patch Updates?

Patch updates (1.0.0 → 1.0.1): Bug fixes and security patches. Safe to auto-merge as they don't contain breaking changes
Minor updates (1.0.0 → 1.1.0): New features added. May have broader impact, so review is recommended
Major updates (1.0.0 → 2.0.0): Likely to contain breaking changes. Manual review is essential

Conclusion

By implementing this workflow, you can automatically merge Dependabot patch updates and quickly apply security patches and bug fixes. Patch updates typically don't contain breaking changes, making them safe for automatic merging.

However, we recommend adjusting the auto-merge conditions based on your project's characteristics and team policies. Consider customizing the workflow for critical dependencies by requiring manual reviews or adding additional checks.

3 ways to speed up CI [GitHub Actions] that you can do immediately!

h6o — Thu, 26 Dec 2024 23:02:54 +0000

For those who are frustrated by slow CI execution.

Here are three ways to speed up CI execution with GitHub Actions.

Three ways to speed up CI [GitHub Actions].

The following three methods are introduced in this article.

Split the Job
Adding package cache processing
Split tests and run them in parallel

Split a Job

Jobs can be split so that each job runs in parallel.

For example, the execution of a unit test and the execution of a Linter can often run independently.

It would be more efficient to describe them in separate Jobs, rather than in series in a single Job.

jobs:.
  test:.
    runs-on: ubuntu-22.04
    steps:.
    ...

  lint: ...
    runs-on: ubuntu-22.04
    steps: ...
    ...

Add package caching process.

Packages are recommended to be cached to skip the time-consuming package installation process.

Use the official actions/cache to implement the cache process.

In the following cases, npm ci will only be executed if there is a change in the OS, Node version or the file that manages package information (package-lock.json), otherwise the cache will be used.

- name: cache and restore packages
  id: cache-npm
  uses: actions/cache@v4.0.2
  with: node_modules
    path: node_modules
    key: ${{ runner.os }}-${{ steps.tool_versions.outputs.nodejs }}-${{ hashFiles(‘**/package-lock.json’) }}

- name: install npm packages
  if: steps.cache-npm.outputs.cache-hit ! = ‘true’
  run: npm ci
  shell: bash

Split and run tests in parallel

If your tests take a long time to run, you can speed up the process by dividing the tests and running each one in parallel.

For example, in the case of Jest, you can use the matrix strategy and the command option --shard. The matrix strategy is a simple and easy way to split up tests and run them in parallel.

The matrix strategy is a method to run a Job for each value defined in a variable within a single Job, and --shard is an option to split tests.

Using these, you can define a workflow like the following.

jobs:
  test:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        shard: [1/4, 2/4, 3/4, 4/4]
    steps:
      - name: checkout
        uses: actions/checkout@v3

      - name: setup environment
        uses: ./.github/actions/setup

      - name: run test
        run: npx jest --ci --shard=${{ matrix.shard }}

This will run 4 Jobs in parallel, each running a quarter of the tests.

I don't know if there are other options like --shard besides Jest, but the idea itself can be applied to any language.

There are other ways.

The following three methods were introduced as easy ways to improve the speed of CI.

Split the Job
Add package cache processing
Split tests and run them in parallel

However, in addition to these, you can also use larger runner and running tests only in areas where changes have been made, there are many other ways to improve speed.

It is recommended to improve the speed little by little to the extent possible, recognising the time and financial resources available.