Replacing Dependabot Preview auto-merge feature

We all knew it was going to happen anyway. GitHub just pulled the plug and removed Dependabot Preview. Dependabot was absorbed by GitHub 2 years ago now, and it seemed logical to phase out the Preview version of it. More than 30,000 organizations relied on this fabulous tool to update their dependency in a timely fashion.

You have up to August 3rd, 2021 to migrate to the new Dependabot that has been integrated into GitHub.

At Mergify, we are heavy fans and users of Dependabot since the beginning, and the product itself has been a great inspiration for us.

While announcing the retirement of Dependabot, GitHub also warned their users that they would lose a few functionalities: live updates, PHP environment variable registries, and auto-merge.

While we can't help anyone with PHP (really, sorry), we can help with the auto-merge feature Dependabot Preview provided for its own pull requests.

Replacing auto-merge with Mergify

You know Mergify is in the business of automating pull requests, so going with an automatic merge of Dependabot pull requests will be child's play.

The simple case is to merge all pull requests when the CI passes. You could write a rule like this:

pull_request_rules:
  - name: automatic merge for Dependabot pull requests
    conditions:
      - author=dependabot[bot]
      # Replace with the name of your CI(s)
      - check-success=Travis CI - Pull Request
    actions:
      merge:
        method: merge

If you are using branch protections and require a review to happen on every pull request, you can add one more rule to make Mergify approve the pull requests:

pull_request_rules:
  - name: automatic merge for Dependabot pull requests
    conditions:
      - author=dependabot[bot]
      # Replace with the name of your CI(s)
      - check-success=Travis CI - Pull Request
    actions:
      review:
        type: APPROVE
        message: Automatically approving dependabot
      merge:
        method: merge

Merging only minor changes

Unfortunately, Dependabot does not provide an easy way to distinguish which update is major, minor, or micro. It could label the pull requests it creates, but it does not. Therefore, the best next solution is to leverage a regular expression to match the version bump.

The following example only merges pull requests from Dependabot if the update is about a minor or micro version change. If the major version changes, Mergify will not incorporate the pull request:

pull_request_rules:
  - name: automatic merge for Dependabot pull requests
    conditions:
      - author=dependabot[bot]
      # Replace with the name of your CI(s)
      - check-success=Travis CI - Pull Request
      - title~=^Bump [^\s]+ from ([\d]+)\..+ to \1\.
    actions:
      merge:
        method: merge

You can tweak these rules as you like, adding even more conditions, like ignoring specific libraries or packages, etc. Everything is up to your imagination as Mergify provides certainly more conditions than Dependabot Preview used to.

Mergify is exceptionally flexible and allows you to automate anything. It's free for open-source, so go ahead and give it a try.

And if you like bots, be sure to check out our top 10 of the best GitHub Apps. 🤖