Back to Initiative Library
Config & Standards Low complexity

Auto-Merge Dependency PRs

Dependabot Renovate GitHub Actions Automation
Run this Initiative Get Demo
✦ Sample Prompt 
Add an auto-merge workflow to every repo that uses Dependabot or Renovate so safe
dependency updates merge themselves when CI passes.

For each repository:
1. Detect Dependabot (`.github/dependabot.yml`) or Renovate (`renovate.json`,
   `.github/renovate.json`). Skip repos that use neither.
2. Create `.github/workflows/auto-merge.yml` that:
   - Triggers on `pull_request_target`
   - Runs only when the PR actor is `dependabot[bot]` or `renovate[bot]`
   - Uses `dependabot/fetch-metadata@v2` (or Renovate equivalent) to read update type
   - Auto-approves and runs `gh pr merge --auto --squash` only when update type is
     `version-update:semver-patch` or `version-update:semver-minor`
   - Has `contents: write` and `pull-requests: write` permissions
3. Exclude PRs that touch anything outside lock files (`go.sum`, `package-lock.json`,
   `yarn.lock`, `Gemfile.lock`, `poetry.lock`).
4. Skip repos that already have an auto-merge workflow.
5. In the PR body, document the required branch protection settings: "Allow auto-merge"
   and required status checks; these must be configured out-of-band.

The Problem

Dependency-update PRs are a tax. Most are safe patch and minor bumps that pass CI on the first run, but they still demand a human click. Multiply by hundreds of repos and the queue becomes a permanent backlog, ironically slowing the security posture the bot was supposed to improve.

Auto-merging on green CI for patch/minor bumps is a well-known fix, but adding the workflow and branch protection rules consistently across every repo is the slow part.

What Tidra Does

  1. Identifies repos using Dependabot or Renovate
  2. Adds .github/workflows/auto-merge.yml that auto-approves and squash-merges patch/minor PRs once required checks pass
  3. Documents the branch protection rule the repo needs (required status checks + allow auto-merge)
  4. Excludes major version bumps and any PRs touching files in a configurable allow-list (go.sum, package-lock.json only)
  5. Opens one PR per repo and links to the auto-merge policy doc

Before & After

diff

Customization Tips

  • Bump scope: Patch-only or patch+minor? Production repos sometimes want patch-only. Configure in the prompt.
  • Path allow-list: Restrict auto-merge to PRs that only touch lock files for an extra safety margin.
  • Branch protection: Branch protection changes are out-of-band. Tidra documents the rule but doesn’t modify GitHub settings.

Ready to run this across your repos?

Connect your Git provider and Tidra opens pull requests in every repo that needs them.

Run this Initiative Get Demo