How do I automerge dependabot updates (config version 2)?

Question

Following "Dependabot is moving natively into GitHub!", I had to update my dependabot config files to use version 2 format.

My .dependabot/config.yaml did look like:

version: 1
update_configs:
  - package_manager: "python"
    directory: "/"
    update_schedule: "live"
    automerged_updates:
      - match:
          dependency_type: "all"
          update_type: "all"

I've got the following working:

version: 2
updates:
- package-ecosystem: pip
  directory: "/"
  schedule:
    interval: daily

but I can't seem to add the automerge option again (when checking with the dependabot validator)?

Answer 1

Auto-merge was disabled on the Dependabot into GitHub:

Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.

There are some hacks to accomplish this job, you can check GitHub dependabot-core issue #1973 for some ideas.

Answer 2

This is now an officially documented feature. You can approve a Dependabot pull request and set it to auto-merge with a GitHub Actions workflow like…

name: Dependabot auto-approve
on: pull_request_target
    
permissions:
  contents: write
  pull-requests: write
    
jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/[email protected]
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: ${{contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'}}
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

If you use code owners and the branch is protected, you may find this will still wait for code owner review to merge. Unfortunately, code owners does not allow you to negate the affected files, so you will need to either explicitly list the owned-files in the codeowners to enable a fully non-interactive merge step.