Actions를 통한 Dependabot 자동화

누가 이 기능을 사용할 수 있나요?

쓰기 권한이 있는 사용자

이 문서의 내용

참고 항목

This article explains how to automate Dependabot-related tasks using Actions. For more information about running Dependabot updates using Actions, see About Dependabot on Actions runners instead.

You can use Actions to perform automated tasks when Dependabot creates pull requests to update dependencies. You may find this useful if you want to:

  • Ensure that Dependabot pull requests (version updates and security updates) are created with the right data for your work processes, including labels, names, and reviewers.

  • Trigger workflows to send Dependabot pull requests (version updates and security updates) into your review process or to merge automatically.

중요

If Dependabot is enabled for a repository, it will always run on Actions, bypassing both Actions policy checks and disablement at the repository or organization level. This ensures that security and version update workflows always run when Dependabot is enabled.

Dependabot creates pull requests to keep your dependencies up to date. You can use Actions to perform automated tasks when these pull requests are created. For example, fetch additional artifacts, add labels, run tests, or otherwise modify the pull request.

Dependabot is able to trigger Actions workflows on its pull requests and comments; however, certain events are treated differently. For more information, see Troubleshooting Dependabot on Actions.

Here are several common scenarios for pull requests that can be automated using Actions.

Most automation requires you to know information about the contents of the pull request: what the dependency name was, if it's a production dependency, and if it's a major, minor, or update. You can use an action to retrieve information about the dependencies being updated by a pull request generated by Dependabot.

Example:

YAML
name: Dependabot fetch metadata
on: pull_request

permissions:
  pull-requests: write
  issues: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: .event.pull_request.user.login == 'dependabot[bot]' && .repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          -token: "${{ secrets._TOKEN }}"
      # The following properties are now available:
      #  - steps.metadata.outputs.dependency-names
      #  - steps.metadata.outputs.dependency-type
      #  - steps.metadata.outputs.update-type

For more information, see the dependabot/fetch-metadata repository.

If you have other automation or triage workflows based on labels, you can configure an action to assign labels based on the metadata provided.

Example that flags all production dependency updates with a label:

YAML
name: Dependabot auto-label
on: pull_request

permissions:
  pull-requests: write
  issues: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: .event.pull_request.user.login == 'dependabot[bot]' && .repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          -token: "${{ secrets._TOKEN }}"
      - name: Add a label for all production dependencies
        if: steps.metadata.outputs.dependency-type == 'direct:production'
        run: gh pr edit "$PR_URL" --add-label "production"
        env:
          PR_URL: ${{.event.pull_request.html_url}}

You can automatically approve Dependabot pull requests by using the CLI in a workflow.

Example:

YAML
name: Dependabot auto-approve
on: pull_request

permissions:
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: .event.pull_request.user.login == 'dependabot[bot]' && .repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          -token: "${{ secrets._TOKEN }}"
      - name: Approve a PR
        run: gh pr review --approve "$PR_URL"
        env:
          PR_URL: ${{.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets._TOKEN}}

If you want to allow maintainers to mark certain pull requests for automerge, you can use 's automerge functionality. This enables the pull request to be merged when any tests and approvals required by the branch protection rules are successfully met.

For more information, see Automatically merging a pull request and Managing a branch protection rule.

You can instead use Actions and the CLI. Here is an example that automerges all updates to my-dependency:

YAML
name: Dependabot auto-merge
on: pull_request

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: .event.pull_request.user.login == 'dependabot[bot]' && .repository == 'owner/my_repo'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
        with:
          -token: "${{ secrets._TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: contains(steps.metadata.outputs.dependency-names, 'my-dependency') && steps.metadata.outputs.update-type == 'version-update:semver-'
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{.event.pull_request.html_url}}
          GH_TOKEN: ${{secrets._TOKEN}}

참고 항목

If you use status checks to test pull requests, you should enable Require status checks to pass before merging for the target branch for Dependabot pull requests. This branch protection rule ensures that pull requests are not merged unless all the required status checks pass. For more information, see Managing a branch protection rule.

Normally, whether a workflow can run in a repository depends on Actions policy checks and whether Actions is enabled at the organization or repository level. These controls can restrict workflows from running—especially when external actions are blocked or Actions is disabled entirely.

However, when Dependabot is enabled for a repository, its workflows will always run on Actions, bypassing both Actions policy checks and disablement.

  • Dependabot workflows are not blocked by Actions disablement or enterprise policy restrictions.
  • The actions referenced within these workflows are also allowed to run, even if external actions are disallowed.

For more information, see About Dependabot on Actions runners.

If your workflow run fails, check the following:

  • You are running the workflow only when the correct actor triggers it.
  • You are checking out the correct ref for your pull_request.
  • Your secrets are available in Dependabot secrets rather than as Actions secrets.
  • You have a _TOKEN with the correct permissions.

For information on writing and debugging Actions, see Writing workflows.

For more tips to help resolve issues with workflows, see Troubleshooting Dependabot on Actions.