Auto-Merge PRs

Dependabot PRs are high volume and low judgment. When CI passes, they usually just need someone to click merge. This feature lets the bot do that for you, but only for PRs whose author you’ve explicitly allow-listed.

The feature is off by default and must be enabled per repo (or per org).

What it does

When a check suite completes successfully on a PR, the bot checks whether it should merge it. It will only merge a PR when all of these hold:

The feature is enabled on the repo (or inherited from the org config).
The PR’s author is in the allow-list. Default: dependabot[bot].
The PR is open and not in draft.
The PR head lives on the same repository (no forks).
GitHub reports the PR as mergeable and not in a blocked, dirty, or behind state.
Every check run on the PR head SHA is completed and passing.
The merge does not violate branch protection.

Any unmet condition is a silent skip. The bot doesn’t comment. The PR sits as it would have without the feature.

Configuration

The feature is configured through the autoMergePRs field on the repo or org config:

{
  "autoMergePRs": {
    "enabled": true,
    "strategy": "squash",
    "allowedAuthors": ["dependabot[bot]"],
    "autoApprove": false
  }
}

Field	Type	Description
`enabled`	bool	Master switch. `false` disables the feature even if the rest is set.
`strategy`	`"merge"` \| `"squash"` \| `"rebase"`	GitHub merge strategy.
`allowedAuthors`	string[] (optional)	GitHub logins eligible for auto-merge. Defaults to `["dependabot[bot]"]`. Matching is case-insensitive. Choose additional entries carefully — any author listed here can ship a merge without human review whenever CI is green.
`autoApprove`	bool (optional)	When `true`, the bot posts an approving review on the PR head SHA before merging. Defaults to `false`.

There’s no dashboard widget for this in v1. Edit the config via the JSON editor or directly in Firestore.

Auto-approve

If your repo’s branch protection requires N approvals, the merge will fail until someone clicks approve. Turning on autoApprove lets the bot stamp the approval automatically. The bot only approves when every check is green, so the approval gate sits behind the same wall as the merge itself.

The bot will not double-approve. If it has already posted an APPROVED review for the current head SHA, it skips straight to the merge.

PRs the bot will not auto-merge

Draft PRs.
PRs from forks.
PRs whose author is not in the allow-list.
PRs with mergeable: false, or mergeable_state of blocked, dirty, or behind.
PRs where any check run on the head SHA failed or is still running.
PRs where GitHub refuses the merge (branch protection, missing required check, code-owner gate).

Each of these results in a silent skip. The next time CI completes on the same PR, the bot re-evaluates.

Known limitations

CI reporting: the bot reads check status via the Check Runs API. Repos that report CI exclusively via the legacy commit-status API (some self-hosted CI systems) will look as if they have no checks and the bot will skip every PR. If you’re not sure which one your CI uses, look at the PR’s “Checks” tab — if entries appear there, you’re on Check Runs.
Too many checks on one SHA: if a single commit has more than 100 check runs, the bot skips the PR rather than risk merging on a partial view. The feature is meant for simple setups; a build matrix that wide should make per-PR decisions.