Automating Dependabot with GitHub Actions

Examples of how you can use GitHub Actions to automate common Dependabot related tasks.

누가 이 기능을 사용할 수 있나요?

쓰기 권한이 있는 사용자

이 기사에서

참고

This article explains how to automate Dependabot-related tasks using GitHub Actions. For more information about running Dependabot updates using GitHub Actions, see Dependabot on GitHub Actions runners instead.

You can use GitHub Actions to perform automated tasks when Dependabot creates pull requests to update dependencies. You may find this useful if you want to:

  • Ensure that Dependabot pull requests (version updates and security updates) are created with the right data for your work processes, including labels and names.

  • Trigger workflows to send Dependabot pull requests (version updates and security updates) into your review process or to merge automatically.

About Dependabot and GitHub Actions

중요

If Dependabot is enabled for a repository, it will always run on GitHub Actions, bypassing both Actions policy checks and disablement at the repository or organization level. This ensures that security and version update workflows always run when Dependabot is enabled.

Dependabot creates pull requests to keep your dependencies up to date. You can use GitHub Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request.

Dependabot은 끌어오기 요청 및 댓글에서 GitHub Actions 워크플로를 트리거할 수 있지만 다른 방식으로 처리되는 이벤트도 있습니다. For more information, see Troubleshooting Dependabot on GitHub Actions.

Here are several common scenarios for pull requests that can be automated using GitHub Actions.

Fetching metadata about a pull request

Most automation requires you to know information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. You can use an action to retrieve information about the dependencies being updated by a pull request generated by Dependabot.

Example:

YAML
# 이 워크플로는 GitHub에서 인증되지 않은 작업을 사용합니다.
# 작업은 타사에서 제공하며
# 별도의 서비스 약관, 개인정보처리방침, 지원 설명서에서 규정됩니다.
# 참조하세요.
name: Dependabot fetch metadata
on: pull_request

permissions:
  pull-requests: write
  issues: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      # The following properties are now available:
      #  - steps.metadata.outputs.dependency-names
      #  - steps.metadata.outputs.dependency-type
      #  - steps.metadata.outputs.update-type

For more information, see the dependabot/fetch-metadata repository.

Labeling a pull request

If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign labels based on the metadata provided.

Example that flags all production dependency updates with a label:

YAML
# 이 워크플로는 GitHub에서 인증되지 않은 작업을 사용합니다.
# 작업은 타사에서 제공하며
# 별도의 서비스 약관, 개인정보처리방침, 지원 설명서에서 규정됩니다.
# 참조하세요.
name: Dependabot auto-label
on: pull_request

permissions:
  pull-requests: write
  issues: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Add a label for all production dependencies
        if: steps.metadata.outputs.dependency-type == 'direct:production'
        run: gh pr edit "$PR_URL" --add-label "production"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}

Automatically approving a pull request

You can automatically approve Dependabot pull requests by using the GitHub CLI in a workflow.

Example:

YAML
# 이 워크플로는 GitHub에서 인증되지 않은 작업을 사용합니다.
# 작업은 타사에서 제공하며
# 별도의 서비스 약관, 개인정보처리방침, 지원 설명서에서 규정됩니다.
# 참조하세요.
name: Dependabot auto-approve
on: pull_request

permissions:
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

Enabling automerge on a pull request

If you want to allow maintainers to mark certain pull requests for automerge, you can use GitHub's automerge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met.

For more information, see 끌어오기 요청 자동 병합 and 브랜치 보호 규칙 관리.

You can instead use GitHub Actions and the GitHub CLI. Here is an example that automerges all patch updates to my-dependency:

YAML
# 이 워크플로는 GitHub에서 인증되지 않은 작업을 사용합니다.
# 작업은 타사에서 제공하며
# 별도의 서비스 약관, 개인정보처리방침, 지원 설명서에서 규정됩니다.
# 참조하세요.
name: Dependabot auto-merge
on: pull_request

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}

참고

If you use status checks to test pull requests, you should enable Require status checks to pass before merging for the target branch for Dependabot pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see 브랜치 보호 규칙 관리.

If the target branch uses a merge queue, the built-in GITHUB_TOKEN cannot add pull requests to the queue. In this case, you must authenticate the workflow with a personal access token or a GitHub App token that has permission to merge, and use it in place of GITHUB_TOKEN for the gh pr merge step.

Dependabot and GitHub Actions policies

Normally, whether a workflow can run in a repository depends on GitHub Actions policy checks and whether GitHub Actions is enabled at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely.

However, when Dependabot is enabled for a repository, its workflows will always run on GitHub Actions, bypassing both Actions policy checks and disablement.

  • Dependabot workflows are not blocked by Actions disablement or enterprise policy restrictions.
  • The actions referenced within these workflows are also allowed to run, even if external actions are disallowed.

For more information, see Dependabot on GitHub Actions runners.

Investigating failed workflow runs

If your workflow run fails, check the following:

  • You are running the workflow only when the correct actor triggers it.
  • You are checking out the correct ref for your pull_request.
  • Your secrets are available in Dependabot secrets rather than as GitHub Actions secrets.
  • You have a GITHUB_TOKEN with the correct permissions.

For information on writing and debugging GitHub Actions, see 워크플로 작성.

For more tips to help resolve issues with workflows, see Troubleshooting Dependabot on GitHub Actions.