Question 1

How do I set up Merge Me! Action for Dependabot on GitHub?

Accepted Answer

Create a workflow file (e.g., merge-me.yaml) using a trigger like workflow_run for public repos or pull_request_target for private repos, as shown in the README. Configure GITHUB_TOKEN and optionally use presets like DEPENDABOT_PATCH to filter updates. Ensure branch protection rules are in place to enforce CI checks before merging.

Question 2

What's the difference between Merge Me! Action and GitHub's built-in auto-merge?

Accepted Answer

Merge Me! Action offers more granular control, such as semantic version presets, configurable retries, and support for multiple triggers beyond simple auto-merge. It integrates with branch protection rules and can target specific bots, whereas GitHub's native feature is more basic and less customizable for complex workflows.

Question 3

Can Merge Me! Action merge PRs from bots other than Dependabot?

Accepted Answer

Yes, it supports other bots by configuring the GITHUB_LOGIN input with micromatch patterns. For example, you can set it to 'dependabot-preview' or custom bot names, allowing flexibility in automating merges for various dependency update tools.

Question 4

Is Merge Me! Action safe to use with pull_request_target trigger?

Accepted Answer

It can be safe if configured correctly, but the README warns of security risks like pwn requests. For private repos, it's recommended, but for public repos, workflow_run is safer. Always follow the security guidelines provided to minimize vulnerabilities.

Question 5

How to configure Merge Me! Action for private repositories?

Accepted Answer

Use the pull_request_target trigger in a single workflow that includes CI jobs, as detailed in the README example. This allows combining testing and merging while maintaining access to secrets, but ensure the GITHUB_TOKEN has appropriate permissions for protected branches.

Question 6

What are the retry settings in Merge Me! Action?

Accepted Answer

By default, it retries failed merges up to three times with exponential backoff (1s, 4s, 9s). You can adjust this by setting MAXIMUM_RETRIES in the configuration, helping to handle transient failures without manual oversight.

Question 7

How does Merge Me! Action handle semantic versioning?

Accepted Answer

It uses presets like DEPENDABOT_MINOR and DEPENDABOT_PATCH to merge only specific version updates based on semantic versioning rules. This ensures that only patch or minor updates are automated, reducing the risk of breaking changes from major updates.

Automatically approve and merge Dependabot updates

What is Automatically approve and merge Dependabot updates?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions