GitHub has a great feature called Dependabot, which allows dependencies to be updated easily in your apps. For example, if there’s a new security release for Rails, all of my GitHub repos that use Rails will get a Pull Request created to update that gem.

The problem I’ve found is that sometimes these PRs can get out of hand, especially if your app has a lot of gems or dependencies or if you manage multiple projects!

To help fix that, I’ve now enabled automatic PR merging if it’s created by Dependabot and all the tests passed.

Here’s an example GitHub workflow:

name: CI

on:
  pull_request:
  push:
    branches: [ main ]

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    name: 'Dependabot'
    # Update needs as required
    needs: [lint, brakeman, test]
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: '${{ secrets.GITHUB_TOKEN }}'
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

The GITHUB_TOKEN environment variable is automatically generated by GitHub. The pull-requests permission options at the top of the workflow allow that token to access PRs.

Now when a new PR comes in, once all the tests pass, it should automatically merge!