Auto merge GitHub Dependabot Alerts with GitHub Actions

Automate open-source dependency policy with Dependabot to watch and mitigate security issues in open-source dependencies.

GitHub starts to demonstrate its vision of cybersecurity by integrating tons of security features on its platform. As an application security engineer, I’m excited to work closely with software developers and manage security policies across code base repositories.

About GitHub Dependabot security updates

Dependabot is a bot to watch security vulnerability in open-source dependencies (disclosed from WhiteSource Vulnerability Database) and programmatically enforce security policy to keep dependencies up to date. Combine with Actions it offers powerful automation to maintain vulnerability-free dependencies in realtime.

Technically to run the workflow you just need the presence of two configuration files in a repository.

/.github/dependabot.yml

version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
rebase-strategy: "auto"
labels:
- "security"
- "dependencies"

/.github/workflows/dependabot.yml

name: "Dependabot Automerge - Action"on:
pull_request:
jobs:
worker:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: automerge
uses: actions/github-script@0.2.0
with:
script: |
github.pullRequests.createReview({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number,
event: 'APPROVE'
})
github.pullRequests.merge({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
pull_number: context.payload.pull_request.number
})
github-token: ${{github.token}}

Feel free to adapt the code.

Optionally, you can create labels named security and dependencies to tag pull requests and protect branches by requiring at least one request review before merging.

Wanna read more about GitHub Dependabot options?

Build and scale application security systems.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store