Add Dependabot auto-merge workflow by dondonz · Pull Request #4298 · graphql-java/graphql-java · GitHub
Skip to content

Add Dependabot auto-merge workflow#4298

Merged
dondonz merged 5 commits intomasterfrom
claude/dependabot-auto-merge-config-ekRMj
Mar 7, 2026
Merged

Add Dependabot auto-merge workflow#4298
dondonz merged 5 commits intomasterfrom
claude/dependabot-auto-merge-config-ekRMj

Conversation

@dondonz
Copy link
Copy Markdown
Member

@dondonz dondonz commented Mar 7, 2026
edited
Loading

Lately we've received a ton of dependabot PRs and I'd rather automatically merge if all builds pass. Dependabot doesn't have a config option for this, so instead I'm following the GitHub docs recommendation to have a GitHub action on pull request creation, to automerge Dependabot PRs only https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request

Summary

  • Adds a GitHub Actions workflow that automatically enables auto-merge on Dependabot PRs
  • Follows the official GitHub docs pattern
  • Uses squash merge strategy and applies to all dependency update types

claude added 4 commits March 7, 2026 06:36
@claude
Add Dependabot auto-merge workflow for patch and minor updates
c5797f7 
Adds a GitHub Actions workflow that automatically enables auto-merge
(squash) on Dependabot PRs for patch and minor version updates. GitHub's
auto-merge will wait for all required status checks to pass before
merging, so major/breaking updates still require manual review.

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
@claude
Use immutable user ID instead of actor name for Dependabot check
28bdadf 
The actor name string could theoretically be spoofed. The user ID
49699333 is the immutable numeric ID for the dependabot[bot] GitHub
App and cannot be forged by other users.

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
@claude
Auto-merge all Dependabot PRs regardless of semver update type
87c9a4a 
Remove the patch/minor restriction and the now-unused fetch-metadata
step so all Dependabot PRs are auto-merged (major included).

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
@claude
Align dependabot auto-merge workflow with official GitHub docs example
d248dba 
Rewrite to closely follow the recommended pattern from:
https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request

- Use user.login check with repository guard
- Pin fetch-metadata action to commit SHA
- Keep squash merge strategy and auto-merge all update types

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 7, 2026
edited
Loading

@claude
Use pull_request_target to avoid showing on non-Dependabot PRs
3d150b8 
The workflow was appearing as a (skipped) build step on every PR.
Switching to pull_request_target prevents it from showing up at all
on non-Dependabot PRs.

https://claude.ai/code/session_012ieS3tLTHwwnh9aftVAPVY
@dondonz dondonz merged commit d3fbf2d into master Mar 7, 2026
9 of 11 checks passed
@dondonz dondonz deleted the claude/dependabot-auto-merge-config-ekRMj branch March 7, 2026 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dondonz @claude