{"meta":{"title":"Automating Dependabot with GitHub Actions","intro":"Examples of how you can use GitHub Actions to automate common Dependabot related tasks.","product":"Security and code quality","breadcrumbs":[{"href":"/en/code-security","title":"Security and code quality"},{"href":"/en/code-security/tutorials","title":"Tutorials"},{"href":"/en/code-security/tutorials/secure-your-dependencies","title":"Secure your dependencies"},{"href":"/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions","title":"Use Dependabot with Actions"}],"documentType":"article"},"body":"# Automating Dependabot with GitHub Actions\n\nExamples of how you can use GitHub Actions to automate common Dependabot related tasks.\n\n> \\[!NOTE] This article explains how to automate Dependabot-related tasks using GitHub Actions. For more information about running Dependabot updates using GitHub Actions, see [About Dependabot on GitHub Actions runners](/en/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners) instead.\n\nYou can use GitHub Actions to perform automated tasks when Dependabot creates pull requests to update dependencies. You may find this useful if you want to:\n\n* Ensure that Dependabot pull requests (version updates and security updates) are created with the right data for your work processes, including labels and names.\n\n* Trigger workflows to send  Dependabot pull requests (version updates and security updates) into your review process or to merge automatically.\n\n## About Dependabot and GitHub Actions\n\n> \\[!IMPORTANT]\n> If Dependabot is enabled for a repository, it will always run on GitHub Actions, **bypassing both Actions policy checks and disablement at the repository or organization level**. This ensures that security and version update workflows always run when Dependabot is enabled.\n\nDependabot creates pull requests to keep your dependencies up to date. You can use GitHub Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request.\n\nDependabot is able to trigger GitHub Actions workflows on its pull requests and comments; however, certain events are treated differently. For more information, see [Troubleshooting Dependabot on GitHub Actions](/en/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions).\n\nHere are several common scenarios for pull requests that can be automated using GitHub Actions.\n\n## Fetching metadata about a pull request\n\nMost automation requires you to know information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or patch update. You can use an action to retrieve information about the dependencies being updated by a pull request generated by Dependabot.\n\nExample:\n\n```yaml copy\n# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\nname: Dependabot fetch metadata\non: pull_request\n\npermissions:\n  pull-requests: write\n  issues: write\n\njobs:\n  dependabot:\n    runs-on: ubuntu-latest\n    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'\n    steps:\n      - name: Dependabot metadata\n        id: metadata\n        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7\n        with:\n          github-token: \"${{ secrets.GITHUB_TOKEN }}\"\n      # The following properties are now available:\n      #  - steps.metadata.outputs.dependency-names\n      #  - steps.metadata.outputs.dependency-type\n      #  - steps.metadata.outputs.update-type\n```\n\nFor more information, see the [`dependabot/fetch-metadata`](https://github.com/dependabot/fetch-metadata) repository.\n\n## Labeling a pull request\n\nIf you have other automation or triage workflows based on GitHub labels, you can configure an action to assign labels based on the metadata provided.\n\nExample that flags all production dependency updates with a label:\n\n```yaml copy\n# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\nname: Dependabot auto-label\non: pull_request\n\npermissions:\n  pull-requests: write\n  issues: write\n\njobs:\n  dependabot:\n    runs-on: ubuntu-latest\n    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'\n    steps:\n      - name: Dependabot metadata\n        id: metadata\n        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7\n        with:\n          github-token: \"${{ secrets.GITHUB_TOKEN }}\"\n      - name: Add a label for all production dependencies\n        if: steps.metadata.outputs.dependency-type == 'direct:production'\n        run: gh pr edit \"$PR_URL\" --add-label \"production\"\n        env:\n          PR_URL: ${{github.event.pull_request.html_url}}\n```\n\n## Automatically approving a pull request\n\nYou can automatically approve Dependabot pull requests by using the GitHub CLI in a workflow.\n\nExample:\n\n```yaml copy\n# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\nname: Dependabot auto-approve\non: pull_request\n\npermissions:\n  pull-requests: write\n\njobs:\n  dependabot:\n    runs-on: ubuntu-latest\n    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'\n    steps:\n      - name: Dependabot metadata\n        id: metadata\n        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7\n        with:\n          github-token: \"${{ secrets.GITHUB_TOKEN }}\"\n      - name: Approve a PR\n        run: gh pr review --approve \"$PR_URL\"\n        env:\n          PR_URL: ${{github.event.pull_request.html_url}}\n          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}\n```\n\n## Enabling automerge on a pull request\n\nIf you want to allow maintainers to mark certain pull requests for automerge, you can use GitHub's automerge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met.\n\nFor more information, see [Automatically merging a pull request](/en/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request) and [Managing a branch protection rule](/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule).\n\nYou can instead use GitHub Actions and the GitHub CLI. Here is an example that automerges all patch updates to `my-dependency`:\n\n```yaml copy\n# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n# separate terms of service, privacy policy, and support\n# documentation.\nname: Dependabot auto-merge\non: pull_request\n\npermissions:\n  contents: write\n  pull-requests: write\n\njobs:\n  dependabot:\n    runs-on: ubuntu-latest\n    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'\n    steps:\n      - name: Dependabot metadata\n        id: metadata\n        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7\n        with:\n          github-token: \"${{ secrets.GITHUB_TOKEN }}\"\n      - name: Enable auto-merge for Dependabot PRs\n        if: contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-patch'\n        run: gh pr merge --auto --merge \"$PR_URL\"\n        env:\n          PR_URL: ${{github.event.pull_request.html_url}}\n          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}\n```\n\n> \\[!NOTE]\n> If you use status checks to test pull requests, you should enable **Require status checks to pass before merging** for the target branch for Dependabot pull requests. This branch protection rule ensures that pull requests are not merged unless **all the required status checks pass**. For more information, see [Managing a branch protection rule](/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule).\n\n## Dependabot and GitHub Actions policies\n\nNormally, whether a workflow can run in a repository depends on GitHub Actions **policy checks** and whether GitHub Actions is **enabled** at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or GitHub Actions is disabled entirely.\n\nHowever, when Dependabot is enabled for a repository, its workflows will always run on GitHub Actions, **bypassing both Actions policy checks and disablement**.\n\n* Dependabot workflows are not blocked by Actions disablement or enterprise policy restrictions.\n* The actions referenced within these workflows are also allowed to run, even if external actions are disallowed.\n\nFor more information, see [About Dependabot on GitHub Actions runners](/en/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners).\n\n## Investigating failed workflow runs\n\nIf your workflow run fails, check the following:\n\n* You are running the workflow only when the correct actor triggers it.\n* You are checking out the correct `ref` for your `pull_request`.\n* Your secrets are available in Dependabot secrets rather than as GitHub Actions secrets.\n* You have a `GITHUB_TOKEN` with the correct permissions.\n\nFor information on writing and debugging GitHub Actions, see [Writing workflows](/en/actions/learn-github-actions).\n\nFor more tips to help resolve issues with workflows, see [Troubleshooting Dependabot on GitHub Actions](/en/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions)."}