xt0rted/README.md

## README.md

      
    Raw
  

              README.md
            
          
    README

Note
I'm now using a newer version of this workflow that supports an allow list for individual packages and update groups which can be found here:

workflows/dependabot-auto-merge.yml
workflow-templates/dependabot-auto-merge.yml.


If you're using a workflow like this and need to manage secrets in multiple repos xt0rted/secrets-sync can simplify that. This lets you add secrets to one repo and sync them to many repos. There's also a template you can fork to get started quickly with it.
Personal Access Token

This workflow requires the Allow auto-merge setting to be enabled and ideally a branch protection rule to ensure your other workflows pass before merging.

If the default GITHUB_TOKEN is used any workflows that would be triggered by the merge won't run, to work around that a PAT needs to be used.
The DEPENDABOT_TOKEN needs repo & read:org scopes and should be added as both an Actions and Dependabot scret for the org or repo where this will be ran.
GitHub App

An alternative method is to use a GitHub App. To do this you'll need to go to https://github.com/settings/apps/new or https://github.com/organizations/<org>/settings/apps/new and create an app with the following settings:

Uncheck Expire user authorization tokens
Uncheck Webhook Active
Set the following Repository permissions

Contents: Read & Write
Metadata: Read-only
Pull requests: Read-only


Once created you'll need to generate a private key.
You'll then need to install the app to your account or org and add Action & Dependabot secrets for both the BOT_APP_ID and BOT_PRIVATE_KEY values which correspond to the App ID at the top of the page, and the private key you just created.
The final step is to make sure you've enabled auto-merge PRs on the repo.


## dependabot-auto-merge-with-github-app.yml
# https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
name: Dependabot auto-merge

on: pull_request_target

permissions:
  contents: read
  pull-requests: read

jobs:
  dependabot:
    runs-on: ubuntu-latest

    if: github.event.pull_request.user.login == 'dependabot[bot]'

    steps:
      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@v1.5.1
        with:
          app_id: ${{ secrets.BOT_APP_ID }}
          private_key: ${{ secrets.BOT_PRIVATE_KEY }}

      - name: Dependabot metadata
        id: dependabot_metadata
        uses: dependabot/fetch-metadata@v1.2.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Authenticate cli
        run: echo "${{ steps.generate_token.outputs.token }}" | gh auth login --with-token

      - name: Enable auto-merge for Dependabot PRs
        if: steps.dependabot_metadata.outputs.dependency-type == 'direct:development' && (steps.dependabot_metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot_metadata.outputs.update-type == 'version-update:semver-patch')
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}

## dependabot-auto-merge-with-pat.yml
# https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
name: Dependabot auto-merge

on: pull_request_target

permissions:
  contents: read
  pull-requests: read

jobs:
  dependabot:
    runs-on: ubuntu-latest

    if: github.event.pull_request.user.login == 'dependabot[bot]'

    steps:
      - name: Dependabot metadata
        id: dependabot_metadata
        uses: dependabot/fetch-metadata@v1.2.1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Authenticate cli with a PAT
        run: echo "${{ secrets.DEPENDABOT_TOKEN }}" | gh auth login --with-token

      - name: Enable auto-merge for Dependabot PRs
        if: steps.dependabot_metadata.outputs.dependency-type == 'direct:development' && (steps.dependabot_metadata.outputs.update-type == 'version-update:semver-minor' || steps.dependabot_metadata.outputs.update-type == 'version-update:semver-patch')
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
	# https://gist.github.com/xt0rted/46475099dc0a70ba63e16e3177407872
	name: Dependabot auto-merge

	on: pull_request_target

	permissions:
	contents: read
	pull-requests: read

	jobs:
	dependabot:
	runs-on: ubuntu-latest

	if: github.event.pull_request.user.login == 'dependabot[bot]'

	steps:
	- name: Generate token
	id: generate_token
	uses: tibdex/github-app-token@v1.5.1
	with:
	app_id: ${{ secrets.BOT_APP_ID }}
	private_key: ${{ secrets.BOT_PRIVATE_KEY }}

	- name: Dependabot metadata
	id: dependabot_metadata
	uses: dependabot/fetch-metadata@v1.2.1
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}

	- name: Authenticate cli
	run: echo "${{ steps.generate_token.outputs.token }}" \| gh auth login --with-token

	- name: Enable auto-merge for Dependabot PRs
	if: steps.dependabot_metadata.outputs.dependency-type == 'direct:development' && (steps.dependabot_metadata.outputs.update-type == 'version-update:semver-minor' \|\| steps.dependabot_metadata.outputs.update-type == 'version-update:semver-patch')
	run: gh pr merge --auto --merge "$PR_URL"
	env:
	PR_URL: ${{ github.event.pull_request.html_url }}