Esta versión de GitHub Enterprise Server se discontinuó el 2026-06-02. No se realizarán lanzamientos de patch, ni siquiera para problemas de seguridad críticos. Para obtener rendimiento mejorado, seguridad mejorada y nuevas características, actualice a la versión más reciente de GitHub Enterprise Server. Para obtener ayuda con la actualización, póngase en contacto con el soporte técnico de GitHub Enterprise.

Automating Dependabot with GitHub Actions

Examples of how you can use GitHub Actions to automate common Dependabot related tasks.

¿Quién puede utilizar esta característica?

Usuarios con acceso de escritura

En este artículo

You can use GitHub Actions to perform automated tasks when Dependabot creates pull requests to update dependencies. You may find this useful if you want to:

  • Ensure that Dependabot pull requests (version updates and security updates) are created with the right data for your work processes, including labels and names.

  • Trigger workflows to send Dependabot pull requests (version updates and security updates) into your review process or to merge automatically.

Nota:

Para poder utilizar esta característica, el administrador del sitio debe configurar Dependabot updates para tu instancia de GitHub Enterprise Server. Para obtener más información, consulta Habilitación de Dependabot para la empresa.

Es posible que no puedas habilitar ni deshabilitar Dependabot updates si un propietario de empresa ha establecido una directiva a nivel empresarial. Para más información, consulta Aplicación de directivas de seguridad y análisis de código de la empresa.

About Dependabot and GitHub Actions

Importante

If Dependabot is enabled for a repository, it will always run on GitHub Actions, bypassing both Actions policy checks and disablement at the repository or organization level. This ensures that security and version update workflows always run when Dependabot is enabled.

Dependabot creates pull requests to keep your dependencies up to date. You can use GitHub Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request.

El Dependabot puede activar flujos de trabajo de las GitHub Actions en sus solicitudes de cambios y comentarios; sin embargo, algunos eventos se tratan de forma distinta. For more information, see Troubleshooting Dependabot on GitHub Actions.

Here are several common scenarios for pull requests that can be automated using GitHub Actions.

Fetching metadata about a pull request

Most automation requires you to know information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. You can use an action to retrieve information about the dependencies being updated by a pull request generated by Dependabot.

Example:

YAML
# Este flujo de trabajo usa acciones que no GitHub no certifica.
# Estas las proporcionan entidades terceras y las gobiernan
# condiciones de servicio, políticas de privacidad y documentación de soporte
# en línea.
name: Dependabot fetch metadata
on: pull_request

permissions:
  pull-requests: write
  issues: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # The following properties are now available:
      #  - steps.metadata.outputs.dependency-names
      #  - steps.metadata.outputs.dependency-type
      #  - steps.metadata.outputs.update-type

For more information, see the dependabot/fetch-metadata repository.

Labeling a pull request

If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign labels based on the metadata provided.

Example that flags all production dependency updates with a label:

YAML
# Este flujo de trabajo usa acciones que no GitHub no certifica.
# Estas las proporcionan entidades terceras y las gobiernan
# condiciones de servicio, políticas de privacidad y documentación de soporte
# en línea.
name: Dependabot auto-label
on: pull_request

permissions:
  pull-requests: write
  issues: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Add a label for all production dependencies
        if: steps.metadata.outputs.dependency-type == 'direct:production'
        run: gh pr edit "$PR_URL" --add-label "production"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}

Automatically approving a pull request

You can automatically approve Dependabot pull requests by using the GitHub CLI in a workflow.

Example:

YAML
# Este flujo de trabajo usa acciones que no GitHub no certifica.
# Estas las proporcionan entidades terceras y las gobiernan
# condiciones de servicio, políticas de privacidad y documentación de soporte
# en línea.
name: Dependabot auto-approve
on: pull_request

permissions:
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Enabling automerge on a pull request

If you want to allow maintainers to mark certain pull requests for automerge, you can use GitHub's automerge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met.

For more information, see Fusionar una solicitud de cambios automáticamente and Administrar una regla de protección de rama.

You can instead use GitHub Actions and the GitHub CLI. Here is an example that automerges all patch updates to my-dependency:

YAML
# Este flujo de trabajo usa acciones que no GitHub no certifica.
# Estas las proporcionan entidades terceras y las gobiernan
# condiciones de servicio, políticas de privacidad y documentación de soporte
# en línea.
name: Dependabot auto-merge
on: pull_request

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Nota:

If you use status checks to test pull requests, you should enable Require status checks to pass before merging for the target branch for Dependabot pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see Administrar una regla de protección de rama.

If the target branch uses a merge queue, the built-in GITHUB_TOKEN cannot add pull requests to the queue. In this case, you must authenticate the workflow with a personal access token or a GitHub App token that has permission to merge, and use it in place of GITHUB_TOKEN for the gh pr merge step.

Dependabot and GitHub Actions policies

Normally, whether a workflow can run in a repository depends on GitHub Actions policy checks and whether GitHub Actions is enabled at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely.

However, when Dependabot is enabled for a repository, its workflows will always run on GitHub Actions, bypassing both Actions policy checks and disablement.

  • Dependabot workflows are not blocked by Actions disablement or enterprise policy restrictions.
  • The actions referenced within these workflows are also allowed to run, even if external actions are disallowed.

Investigating failed workflow runs

If your workflow run fails, check the following:

  • You are running the workflow only when the correct actor triggers it.
  • You are checking out the correct ref for your pull_request.
  • Your secrets are available in Dependabot secrets rather than as GitHub Actions secrets.
  • You have a GITHUB_TOKEN with the correct permissions.

For information on writing and debugging GitHub Actions, see Escritura de flujos de trabajo.

For more tips to help resolve issues with workflows, see Troubleshooting Dependabot on GitHub Actions.