Skip to content

ADR 002: Automated Dependabot PR Merging

  • Status: Accepted
  • Date: 2026-01-28
  • Author: Victoria Cheng

Context and Problem Statement

Dependabot generates a high volume of maintenance Pull Requests for dependency updates. Manually reviewing and merging these PRs creates significant "toil" for the platform team, often delaying security patches and version updates. This process must be automated for trusted automated updates that pass all CI checks.

Decision Outcome

A reusable composite action will be implemented that utilizes the GitHub CLI (gh) to enable the "auto-merge" feature specifically for Pull Requests authored by dependabot[bot].

Implementation Details

The action will perform the following logic:

  1. Identity Verification: Only proceed if github.actor is dependabot[bot].
  2. Auto-Merge Activation: Execute gh pr merge --auto with a configurable merge method (defaulting to merge).
  3. Event Requirements: The action must be triggered by pull_request or pull_request_target events to ensure the PR context is available.

Merge Methods Supported

Method Behavior
merge Standard merge commit (Default)
squash Squashes all commits into one
rebase Rebases commits onto the target branch

Consequences

Positive

  • Reduced Toil: Dramatically reduces manual maintenance work.
  • Faster Security Patches: Ensures updates are merged as soon as CI passes.
  • Native Safety: Leverages GitHub's auto-merge (waits for status checks and branch protection).

Negative

  • Elevated Permissions: Requires pull-requests: write and contents: write for the workflow.
  • Test Suite Dependency: Relies on test reliability; if tests pass but the update is broken, it will still merge.

Verification

  • [x] Logic Verification: Integrated a "Dry Run" test in .github/workflows/test-actions.yml that mocks dependabot[bot] to verify conditional logic without executing side effects.
  • [x] Safety Check: Confirmed the action correctly skips execution and logs a warning when triggered by a non-Dependabot actor.