Skip to content

Merge a PR with multiple updates when version constraints are met #740

Open
Open
Merge a PR with multiple updates when version constraints are met#740
@haoliangyu

Description

@haoliangyu
haoliangyu
opened on Jan 2, 2026

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Sometimes depandabot may find updating a dependency requires updating other ambient dependencies. For example, it can submit a PR with the title Bump qs, body-parser and express and the change details:

Bumps [qs](https://github.com/ljharb/qs), [body-parser](https://github.com/expressjs/body-parser) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together.
Updates qs from 6.13.0 to 6.14.1

Changelog
Commits

Updates body-parser from 1.20.3 to 1.20.4

Release notes
Changelog
Commits

Updates express from 4.21.2 to 4.22.1

Release notes
Changelog
Commits

These updates are all minor version updates. I expect the action can automatically merge the PR when it is configured to allow minor version update.

Here is the workflow example

name: main

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  workflow_dispatch:

jobs:
  unit-test:

  automerge-dependabot-pr:
    if: ${{ github.event_name == 'pull_request' }}
    needs:
      - unit-test
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: write
    steps:
      - uses: fastify/github-action-merge-dependabot@v3
        with:
          target: minor

and the workflow log looks like

2026-01-01T14:05:02.4397247Z Current runner version: '2.330.0'
2026-01-01T14:05:02.4405356Z Runner name: 'my-runnner'
2026-01-01T14:05:02.4406363Z Runner group name: 'my-runner-group'
2026-01-01T14:05:02.4407512Z Machine name: 'my-runner'
2026-01-01T14:05:02.4411293Z ##[group]GITHUB_TOKEN Permissions
2026-01-01T14:05:02.4413900Z Contents: write
2026-01-01T14:05:02.4414545Z Metadata: read
2026-01-01T14:05:02.4415150Z PullRequests: write
2026-01-01T14:05:02.4415759Z ##[endgroup]
2026-01-01T14:05:02.4418258Z Secret source: Dependabot
2026-01-01T14:05:02.4419079Z Prepare workflow directory
2026-01-01T14:05:02.4822614Z Prepare all required actions
2026-01-01T14:05:02.4858989Z Getting action download info
2026-01-01T14:05:02.7015396Z Download action repository 'fastify/github-action-merge-dependabot@v3' (SHA:1b2ed42db8f9d81a46bac83adedfc03eb5149dff)
2026-01-01T14:05:03.0520717Z Getting action download info
2026-01-01T14:05:03.1932985Z Download action repository 'dependabot/fetch-metadata@v2' (SHA:08eff52bf64351f401fb50d4972fa95b9f2c2d1b)
2026-01-01T14:05:03.4222693Z Download action repository 'actions/github-script@v8' (SHA:ed597411d8f924073f98dfc5c65a23a2325f34cd)
2026-01-01T14:05:03.7066609Z Complete job name: automerge-dependabot-pr
2026-01-01T14:05:03.7683996Z ##[group]Run fastify/github-action-merge-dependabot@v3
2026-01-01T14:05:03.7685014Z with:
2026-01-01T14:05:03.7685397Z   target: minor
2026-01-01T14:05:03.7686008Z   github-token: ***
2026-01-01T14:05:03.7686425Z   approve-only: false
2026-01-01T14:05:03.7686950Z   merge-method: squash
2026-01-01T14:05:03.7687373Z   use-github-auto-merge: false
2026-01-01T14:05:03.7687838Z   skip-commit-verification: false
2026-01-01T14:05:03.7688308Z   skip-verification: false
2026-01-01T14:05:03.7688991Z ##[endgroup]
2026-01-01T14:05:03.7863575Z ##[group]Run dependabot/fetch-metadata@v2
2026-01-01T14:05:03.7864420Z with:
2026-01-01T14:05:03.7865042Z   skip-commit-verification: false
2026-01-01T14:05:03.7865817Z   skip-verification: false
2026-01-01T14:05:03.7866778Z   github-token: ***
2026-01-01T14:05:03.7867416Z ##[endgroup]
2026-01-01T14:05:04.1063870Z Parsing Dependabot metadata
2026-01-01T14:05:04.1139871Z ##[group]Outputting metadata for 3 updated dependencies
2026-01-01T14:05:04.1141660Z outputs.dependency-names: qs, body-parser, express
2026-01-01T14:05:04.1142832Z outputs.dependency-type: indirect
2026-01-01T14:05:04.1143800Z outputs.update-type: null
2026-01-01T14:05:04.1144663Z outputs.directory: /
2026-01-01T14:05:04.1145437Z outputs.package-ecosystem: npm_and_yarn
2026-01-01T14:05:04.1146268Z outputs.target-branch: main
2026-01-01T14:05:04.1147004Z outputs.previous-version: 
2026-01-01T14:05:04.1147722Z outputs.new-version: 
2026-01-01T14:05:04.1148399Z outputs.compatibility-score: 0
2026-01-01T14:05:04.1149157Z outputs.maintainer-changes: false
2026-01-01T14:05:04.1149949Z outputs.dependency-group: 
2026-01-01T14:05:04.1150641Z outputs.alert-state: 
2026-01-01T14:05:04.1151295Z outputs.ghsa-id: 
2026-01-01T14:05:04.1151947Z outputs.cvss: 0
2026-01-01T14:05:04.1153253Z ##[endgroup]
2026-01-01T14:05:04.1457357Z ##[group]Run actions/github-script@v8
2026-01-01T14:05:04.1458436Z with:
2026-01-01T14:05:04.1459602Z   github-token: ***
2026-01-01T14:05:04.1468503Z   script: const { ACTION_PATH, UPDATE_TYPE, DEPENDENCY_TYPE, DEPENDENCY_NAMES } = process.env
const script = require(ACTION_PATH + '/dist/index.js')
await script({
  github,
  context,
  inputs: {
  "target": "minor",
  "github-token": "***",
  "exclude": "",
  "approve-only": "false",
  "merge-method": "squash",
  "merge-comment": "",
  "use-github-auto-merge": "false",
  "target-development": "",
  "target-production": "",
  "target-indirect": "",
  "pr-number": "",
  "skip-commit-verification": "false",
  "skip-verification": "false"
},
  dependabotMetadata: {
    updateType:  UPDATE_TYPE,
    dependencyType: DEPENDENCY_TYPE,
    dependencyNames: DEPENDENCY_NAMES,
  }
})

2026-01-01T14:05:04.1476560Z   debug: false
2026-01-01T14:05:04.1477329Z   user-agent: actions/github-script
2026-01-01T14:05:04.1478653Z   result-encoding: json
2026-01-01T14:05:04.1479451Z   retries: 0
2026-01-01T14:05:04.1480278Z   retry-exempt-status-codes: 400,401,403,404,422
2026-01-01T14:05:04.1481344Z env:
2026-01-01T14:05:04.1482554Z   ACTION_PATH: /home/runner/_work/_actions/fastify/github-action-merge-dependabot/v3
2026-01-01T14:05:04.1484113Z   UPDATE_TYPE: 
2026-01-01T14:05:04.1484872Z   DEPENDENCY_TYPE: indirect
2026-01-01T14:05:04.1485822Z   DEPENDENCY_NAMES: qs, body-parser, express
2026-01-01T14:05:04.1487008Z ##[endgroup]
2026-01-01T14:05:04.4685584Z ##[warning]Semver bump '' is invalid!
2026-01-01T14:05:04.4972766Z Cleaning up orphan processes

Note that the action works perfectly for PRs with a single package update, but not multiple.

Motivation

No response

Example

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions