Mergeabot

Auto-merge Dependabot PRs, only after a certain number of days have passed.

Motivation

Using out of date dependencies is a Software Supply Chain risk, as security-related patches may not be applied in a timely fashion.

Dependabot and timely merges of its PRs is a solution to this. Requiring manual approval and merge of such PRs is typically busy work. With robust CI and QA processes, such PRs should be a "merge on Green" scenario for your team. Any process of an Engineer taking an action without thought should be automated.

Immediately merging new versions of dependencies is also a Software Supply Chain risk, as so-far-un-discovered exploits could exist in very new patches.

Automatically merging Dependabot PRs only after some number of days (i.e. after a "quarantine" period) is one mitigation for this, which this Action implements.

Events

Mergeabot's primary feature is to find Dependabot PRs that have been open for your configured quarantine-days and merge them (technically, approve and enable auto-merge so that status and review requirements are met):

schedule

We recommend running this once a day, e.g. at midnight UTC, through the schedule event:

on:
  schedule:
    - cron: "0 0 * * *"

pull_request

Our team uses CODEOWNERS and round-robins review-requests. This results in folks being requested to review Dependabot PRs. This is unnecessary and undesired; we want to leave these PRs to Mergeabot.

To ameliorate this, we run Mergeabot on pull_request events too:

on:
  schedule:
    - cron: "0 0 * * *"

  pull_request:
    types: [opened]

Mergeabot knows if it's running on a pull_request event in a Dependabot PR and, if so, leaves a comment on the PR indicating, roughly, "I got this."

Permissions

Dependabot PRs use a token with read-only permissions by default, so you'll need an explicit permissions key to use the above approach.

permissions:
  contents: write
  pull-requests: write

NOTE: contents:write is required because Mergeabot will always do its normal thing of finding other Dependabot PRs and handling them. This may be surprising on PR events, but we find it useful. Patches welcome to make this behavior optional.

Complete Example

name: Mergeabot

on:
  schedule:
    - cron: "0 0 * * *"

  pull_request:
    types: [opened]

permissions:
  contents: write
  pull-requests: write

jobs:
  mergeabot:
    runs-on: ubuntu-latest
    steps:
      - uses: freckle/mergeabot-action@v2

Inputs

• exclude-title-regex: exclude PRs whose titles match this regular expression

  Dependabot PRs follow the format Bump {dep} to {version} in /{path}, so this can be used to exclude PRs of certain dependencies or in certain directories.

  Note that GitHub could change this format at any time. If this happens, you would have {quarantine-days} days to notice and update your setting if necessary.

• quarantine-days: how many days a PR must be open before it qualifies for auto-merge. Default is 5.

• strategy: how to perform the [auto-]merge. Must be merge, rebase, or squash. Default is rebase.

• remove-reviewers: remove any requested reviewers (if run on PRs). Default is true.

See action.yml for other, seldom useful, inputs.

Outputs

None.

Caveats

This Action really only makes sense if Branch Protection is enabled, Approvals are required, and Auto-merge is allowed. That's because it doesn't actually merge PRs, it approves and enables auto-merge. That way, we can leave the determination that all other PR requirements were satisfied to GitHub, where it belongs.

---

LICENSE