Merging pull requests with GitHub Actions

Berlin, Germany

In May 2019, GitHub acquired Dependabot, and recently GitHub announced that Dependabot is moving into GitHub.

When you follow the instructions, you will find that the migration is straightforward. However, there is one thing missing: after migrating from version 1 to version 2, Dependabot will not automatically merge pull requests anymore. That the feature is currently missing could indicate that GitHub will bring automatic merges onboard - independently from Dependabot.

In the meantime, you can configure a job with GitHub Actions and actions/github-script that will automatically merge pull requests created by Dependabot. actions/github-script uses octokit/rest.js, which is well documented, and it is often more convenient to use than maintaining a full-blown GitHub action.

Here is an example of a job that will run when the coding-standards, static-code-analysis, and tests jobs have succeeded, and which will then merge a pull request opened by dependabot[bot]:

  name: "Merge"

  runs-on: "ubuntu-latest"

    - "coding-standards"
    - "static-code-analysis"
    - "tests"

  if: >
    github.event_name == 'pull_request' &&
    github.event.pull_request.draft == false && (
      github.event.action == 'opened' ||
      github.event.action == 'reopened' ||
      github.event.action == 'synchronize'
    ) && ( == 'dependabot[bot]'

    - name: "Merge pull request"
      uses: "actions/github-script@v2"
        github-token: "${{ secrets.GITHUB_TOKEN }}"
        script: |
          const pullRequest = context.payload.pull_request
          const repository = context.repo

          await github.pulls.merge({
            merge_method: "merge",
            owner: repository.owner,
            pull_number: pullRequest.number,
            repo: repository.repo,

💡 You can see this very simple job in action at jangregor/phpstan-prophecy, and you can find a more sophisticated example of using GitHub Actions to merge pull requests in ergebnis/php-library-template.

Note that this approach has a severe drawback: this job will run when the dependent jobs in the same workflow have completed. The job is entirely unaware of additional workflows or integrations with other apps. It might merge a pull request when any of these additional workflows or integrations are still running or have already failed. This job works a lot better when used with branch protection.

As an alternative, you might want to take a look at the GitHub Marketplace, where you can find a range of applications that will merge pull requests for you.

❗ As of March 1st, 2021, this job will not work anymore.

For reference, see GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions.