--- name: Dependabot auto-merge on: pull_request permissions: contents: write pull-requests: write jobs: auto-merge: # Enable auto-merge for minor/patch dependency bumps; majors stay manual. # The merge only happens once every required status check (make test) is # green, so the CI stays the gate. if: github.actor == 'dependabot[bot]' runs-on: ubuntu-latest steps: - name: Fetch dependency metadata id: metadata uses: dependabot/fetch-metadata@v3 with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Enable auto-merge (minor + patch) if: steps.metadata.outputs.update-type != 'version-update:semver-major' run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}