Auto approve and merge Dependabot PRs

Available Github Integrations

This guide includes one or more steps that require integration with GitHub.
Port supports two GitHub integrations:

GitHub (Legacy) - uses a GitHub app, which is soon to be deprecated.
GitHub (Ocean) - uses the Ocean framework, recommended for new integrations.

Both integration options are present in this guide via tabs, choose the one that fits your needs.

This guide demonstrates how to set up an automation in Port that approves GitHub pull requests created by Dependabot. By doing so, engineering teams can effortlessly keep dependencies up to date and quickly apply security patches without manual overhead.

Prerequisites

This guide assumes the following:

You have a Port account and have completed the onboarding process.

GitHub (Legacy)
GitHub (Ocean)

Port's GitHub app is installed in your account.

Set up automation

Once the GitHub pull request entities are synced to your catalog, you can configure an automation in Port that triggers a GitHub workflow to approve and merge the pull request.

This setup involves two parts:

Defining the automation in Port.
Creating the GitHub workflow.

Define automation backend

Go to the Automations page in your portal.
Click on the + Automation button.

Copy and paste the following JSON configuration into the editor:

GitHub (Legacy)
GitHub (Ocean)

Auto merge and approve PR automation (Click to expand)

Replace placeholders

Make sure to replace <GITHUB_ORG> and <GITHUB_REPO> with the actual organization and repository where your approve-and-merge-dependabot-pr.yaml workflow resides.

{
    "identifier": "approveAndMergeDependabotPR",
    "title": "Approve and Merge Dependabot PR",
    "description": "Automation to approve and merge dependabot pull requests",
    "trigger": {
        "type": "automation",
        "event": {
            "type": "ENTITY_UPDATED",
            "blueprintIdentifier": "githubPullRequest"
        },
        "condition": {
            "type": "JQ",
            "expressions": [
                ".diff.after.properties.creator | test(\"dependabot\") == true",
                ".diff.after.properties.status != \"merged\""
            ],
            "combinator": "and"
        }
    },
    "invocationMethod": {
        "type": "GITHUB",
        "org": "<GITHUB_ORG>",
        "repo": "<GITHUB_REPO>",
        "workflow": "approve-and-merge-dependabot-pr.yaml",
        "workflowInputs": {
            "prNumber": "{{ .event.diff.after.properties.prNumber | tostring }}",
            "repository": "{{ .event.diff.after.relations.repository }}",
            "runID": "{{ .run.id }}"
        },
        "reportWorkflowStatus": true
    },
    "publish": true
}

Auto merge and approve PR automation (Click to expand)

Replace placeholders

Make sure to replace <YOUR_GITHUB_OCEAN_INTEGRATION_ID>, <GITHUB_ORG>, and <GITHUB_REPO> with your GitHub Ocean integration installation ID and the organization and repository where your approve-and-merge-dependabot-pr.yaml workflow resides.

{
    "identifier": "approveAndMergeDependabotPR",
    "title": "Approve and Merge Dependabot PR",
    "description": "Automation to approve and merge dependabot pull requests",
    "trigger": {
        "type": "automation",
        "event": {
            "type": "ENTITY_UPDATED",
            "blueprintIdentifier": "githubPullRequest"
        },
        "condition": {
            "type": "JQ",
            "expressions": [
                ".diff.after.properties.creator | test(\"dependabot\") == true",
                ".diff.after.properties.status != \"merged\""
            ],
            "combinator": "and"
        }
    },
    "invocationMethod": {
        "type": "INTEGRATION_ACTION",
        "installationId": "<YOUR_GITHUB_OCEAN_INTEGRATION_ID>",
        "integrationActionType": "dispatch_workflow",
        "integrationActionExecutionProperties": {
            "org": "<GITHUB_ORG>",
            "repo": "<GITHUB_REPO>",
            "workflow": "approve-and-merge-dependabot-pr.yaml",
            "workflowInputs": {
                "prNumber": "{{ .event.diff.after.properties.prNumber | tostring }}",
                "repository": "{{ .event.diff.after.relations.repository }}",
                "runID": "{{ .run.id }}"
            },
            "reportWorkflowStatus": true
        }
    },
    "publish": true
}

Click Save.

Create the GitHub workflow

We will now define the GitHub Actions workflow that processes the input and executes the necessary steps to achieve the desired outcome.

Dedicated Workflows Repository

We recommend creating a dedicated repository for the workflows that are used by Port actions.

In your dedicated workflow repository, ensure you have a .github/workflows directory.

Create a new file named approve-and-merge-dependabot-pr.yaml

Copy and paste the following workflow configuration:

Approve and merge Dependabot PR workflow (Click to expand)

name: Auto-Approve & Merge Dependabot PR

on:
  workflow_dispatch:
    inputs:
      prNumber:
        required: true
        type: string
      repository:
        required: true
        type: string
      runID:
        required: true
        type: string

jobs:
  approve_and_merge:
    runs-on: ubuntu-latest
    env:
      GH_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Fetch Port Access Token
        id: fetch_port_token
        run: |
          PORT_ACCESS_TOKEN=$(curl -s -L 'https://api.port.io/v1/auth/access_token' \
            -H 'Content-Type: application/json' \
            -H 'Accept: application/json' \
            -d '{
              "clientId": "${{ secrets.PORT_CLIENT_ID }}",
              "clientSecret": "${{ secrets.PORT_CLIENT_SECRET }}"
            }' | jq -r '.accessToken')
          echo "PORT_ACCESS_TOKEN=$PORT_ACCESS_TOKEN" >> "$GITHUB_ENV"
          
      - name: Extract PR Info
        id: pr_info
        run: |
          repo="${{ github.event.inputs.repository }}"
          pr_number=$(echo "${{ github.event.inputs.prNumber }}" | grep -o '[0-9]\+$')
          echo "repo=$repo" >> $GITHUB_ENV
          echo "pr_number=$pr_number" >> $GITHUB_ENV

      - name: Approve Pull Request
        run: |
          echo "✅ Approving PR #$pr_number in $repo"
          curl -s -X POST \
            -H "Authorization: Bearer $GH_TOKEN" \
            -H "Accept: application/vnd.github+json" \
            https://api.github.com/repos/${{ github.repository_owner }}/$repo/pulls/$pr_number/reviews \
            -d '{"event":"APPROVE"}'

      - name: Ensure "approved-dependabot" label exists
        run: |
          label_name="approved-dependabot"
          label_color="2cbe4e"
          echo "🏷️ Ensuring label '$label_name' exists..."
          curl -s -o /dev/null -w "%{http_code}" -X POST \
            https://api.github.com/repos/${{ github.repository_owner }}/$repo/labels \
            -H "Authorization: Bearer $GH_TOKEN" \
            -H "Accept: application/vnd.github+json" \
            -d "{\"name\": \"$label_name\", \"color\": \"$label_color\"}" | grep -qE "201|422"

      - name: Apply Label to PR
        run: |
          echo "🏷️ Applying label to PR #$pr_number..."
          curl -s -X POST \
            https://api.github.com/repos/${{ github.repository_owner }}/$repo/issues/$pr_number/labels \
            -H "Authorization: Bearer $GH_TOKEN" \
            -H "Accept: application/vnd.github+json" \
            -d '{"labels": ["approved-dependabot"]}'

      - name: Check PR Mergeability
        id: check_merge
        run: |
          echo "🔍 Checking mergeability for PR #$pr_number"
          pr_response=$(curl -s -H "Authorization: Bearer $GH_TOKEN" \
            https://api.github.com/repos/${{ github.repository_owner }}/$repo/pulls/$pr_number)
          
          mergeable_state=$(echo "$pr_response" | jq -r '.mergeable_state')
          echo "mergeable_state=$mergeable_state" >> $GITHUB_ENV

      - name: Merge PR (if mergeable)
        if: env.mergeable_state == 'clean'
        id: merge_pr
        run: |
          echo "🚀 Merging PR #$pr_number"
          curl -s -X PUT \
            -H "Authorization: Bearer $GH_TOKEN" \
            -H "Accept: application/vnd.github+json" \
            https://api.github.com/repos/${{ github.repository_owner }}/$repo/pulls/$pr_number/merge \
            -d '{"merge_method":"squash"}'

      - name: Update Port action status
        if: always()
        run: |
          if [ "${{ steps.merge_pr.outcome }}" == "failure" ]; then
            STATUS="FAILURE"
          else
            STATUS="SUCCESS"
          fi
      
          curl -L -X PATCH "https://api.port.io/v1/actions/runs/${{ github.event.inputs.runID }}" \
          -H "Content-Type: application/json" \
          -H "Accept: application/json" \
          -H "Authorization: Bearer ${{ env.PORT_ACCESS_TOKEN }}" \
          -d '{
            "status": "'"$STATUS"'",
            "statusLabel": "'"$STATUS"'",
            "link": "'"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"'",
            "summary": "Dependabot pull request approval and merge completed with status: '"$STATUS"'"
          }'

Required GitHub Secrets

For this workflow to function properly, you need to add the following secrets to your GitHub repository:

PORT_CLIENT_ID: The client ID of your Port account.
PORT_CLIENT_SECRET: The client secret of your Port account.
MY_GITHUB_TOKEN: The fine grained GitHub personal access token with Read and Write access to issues, pull requests across all repositories in your organization.

Commit and push the changes to your repository.

When a pull request created by Dependabot is updated, the automation is triggered automatically to approve and merge the PR. This ensures a seamless and secure update process.

Prerequisites​

Set up automation​

Define automation backend​

Create the GitHub workflow​

Prerequisites

Set up automation

Define automation backend

Create the GitHub workflow