Automatically merge Dependabot PRs when version comparison is within range


GitHub Action: Dependabot Auto Merge

Automatically merge Dependabot PRs when version comparison is within range.

_Note: Dependabot will wait until all your status checks pass before merging. This is a function of Dependabot itself, and not this Action.


name: auto-merge


    runs-on: ubuntu-latest
      - uses: actions/checkout@v2
      - uses: ahmadnassri/action-dependabot-auto-merge@v2
          target: minor
          github-token: ${{ secrets.mytoken }}

The action will only merge PRs whose checks (CI/CD) pass.


Minimal setup:

  - uses: ahmadnassri/action-dependabot-auto-merge@v2
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a patch (default behavior):

  - uses: ahmadnassri/action-dependabot-auto-merge@v2
      target: patch
      github-token: ${{ secrets.mytoken }}

Only merge if the changed dependency version is a minor:

  - uses: ahmadnassri/action-dependabot-auto-merge@v2
      target: minor
      github-token: ${{ secrets.mytoken }}

Using a configuration file:

  - uses: actions/checkout@v2
  - uses: ahmadnassri/action-dependabot-auto-merge@v2
      github-token: ${{ secrets.mytoken }}
- match:
    dependency_type: all
    update_type: "semver:minor" # includes patch updates!


input required default description
github-token github.token The GitHub token used to merge the pull-request
target patch The version comparison target (major, minor, patch)
command merge The command to pass to Dependabot
approve true Auto-approve pull-requests

Token Scope

The GitHub token is a Personal Access Token with the following scopes: repo for private repositories, and public_repo for public repositories, and should be created from a user with "push" permission to the repository (see reference for user owned repos and for org owned repos)

Configuration file syntax

Using the configuration file .github/auto-merge.yml, you have the option to provide a more fine-grained configuration. The following example configuration file merges

  • minor updates for aws-sdk
  • minor development dependency updates
  • patch production dependency updates
  • minor security-critical production dependency updates
- match:
    dependency_name: aws-sdk
    update_type: semver:minor

- match:
    dependency_type: development
    update_type: semver:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: security:minor # includes patch updates!

- match:
    dependency_type: production
    update_type: semver:patch

Match Properties

property required supported values
dependency_name full name of dependency, or a regex string
dependency_type all, production, development
update_type all, security:*, semver:*

update_type can specify security match or semver match with the syntax: ${type}:${match}, e.g.

  • security:patch
    SemVer patch update that fixes a known security vulnerability

  • semver:patch
    SemVer patch update, e.g. > 1.x && 1.0.1 to 1.0.3

  • semver:minor
    SemVer minor update, e.g. > 1.x && 2.1.4 to 2.3.1

To allow prereleases, the corresponding prepatch, preminor and premajor types are also supported


By default, if no configuration file is present in the repo, the action will assume the following:

- match:
    dependency_type: all
    update_type: semver:${TARGET}

Where $TARGET is the target value from the action Inputs

The syntax is based on the legacy dependaBot v1 config format, but does not support in_range yet.