--- title: Integrating Dependabot with Mergify description: How to automate your dependencies update using Mergify. --- import dependabotLogo from "../../images/integrations/dependabot/logo.png" import IntegrationLogo from "../../../components/IntegrationLogo.astro" [Dependabot](https://github.com/features/security) helps you keep your dependencies up-to-date by automatically opening pull requests for outdated dependencies. When combined with Mergify, you can automate parts of the process even further, ensuring your projects stay current with minimal manual intervention. ## Automating Dependabot Pull Request Merges There are two primary ways to automate the merging of Dependabot PRs with Mergify: ### 1. Direct Merge or Merge Queue You can set up a pull request rule to automatically merge Dependabot PRs or place them in the merge queue. ```yaml pull_request_rules: - name: Automatically merge Dependabot PRs conditions: - author = dependabot[bot] actions: merge: # Or use queue: to use the merge queue ``` ### 2. PR Approval If you have GitHub's branch protection set up to require approvals, you can use Mergify to automatically approve Dependabot PRs. ```yaml pull_request_rules: - name: Automatically approve Dependabot PRs conditions: - author = dependabot[bot] actions: review: type: APPROVE ``` ## Filtering Dependabot PRs Dependabot provides specific labels for the type of dependency update, such as `dependabot-dependency-name`, `dependabot-dependency-type`, and `dependabot-update-type`. You can use these labels in your Mergify rules to filter which Dependabot PRs to auto-merge. For instance, you might only want to auto-merge minor version bumps: ```yaml pull_request_rules: - name: Auto merge minor version bumps conditions: - author = dependabot[bot] - dependabot-update-type = version-update:semver-minor actions: queue: method: merge ``` ## Batching Dependency Updates For projects where there are frequent updates to a large number of small libraries, it's efficient to batch these updates together. Using Mergify's merge queue feature, you can automatically batch and test these updates together, reducing CI load and ensuring compatibility. For example, you could set up a merge queue to batch those PRs 10 by 10: ```yaml queue_rules: # If you have other queue rules defined, add this at the end so it is processed last - name: dep-update batch_size: 10 # Wait for up to 30 minutes for the batch to fill up batch_max_wait_time: 30 min queue_conditions: - author = dependabot[bot] pull_request_rules: - name: Automatically queue Dependabot PRs conditions: - author = dependabot[bot] actions: queue: ``` ## Disable Dependabot's Automatic Rebase By default, Dependabot will try to rebase its pull requests every time there's a new commit to the main branch. In high-velocity projects with a lot of update, this can lead to unnecessary CI runs. It's recommended to disable Dependabot's automatic rebase feature and instead rely on Mergify to queue and merge these updates efficiently. To disable automatic rebasing in Dependabot, use the [`rebase-strategy`](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rebase-strategy) settings and turn off automatic rebase. ```yaml version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" # Disable rebasing for npm pull requests rebase-strategy: "disabled" ``` With Mergify and Dependabot working together, you can ensure your project's dependencies are always up-to-date with minimal effort, ensuring a smooth and efficient update process.