This blog uses a GitHub Action to automatically merge pull requests from dependabot so long as the Netlify deploy preview check succeeds. It was a bit of a pain to get going1, and always seemed like a process that GitHub could have made easier.

Of course, that was on purpose:

Tweet by Justin Hutchings (@jhutchings0): Sometimes folks ask me why @dependabot doesn't support automerge. It's convenient, and seems like it should just work. So why doesn't it? 1/n

While I agree with Justin that researchers are more likely to audit packages than clients and supply chain attacks are worth solving, Accelerate2 makes a compelling case that in the meantime it’s better to deploy both good and bad packages faster than stall either. Besides, security-sensitive projects already know who they are and have integration processes for auditing dependency updates promptly; automerge is for the rest of us.

  1. And it’s constantly breaking. 

  2. Forsgren, Nicole, et al. Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations. IT Revolution, 2018.