We use dependabot to manage our dependencies. We have automerge rules set up with dependabot to merge patch level changes and security fixes. I’ve also enabled protected branches and required the bors status check to be good before merging, therefore only allowing bors to merge.

The combination of these two things means that dependabot cannot automerge. I’d like to have dependabot automerge (preferably via bors) while stll allowing the protected branches so that devs are encouraged to bors r+ to merge and can’t do it via the github UI.

Has this been done before? Is there a good way to do this? I’ve considered writing some automation to auto respond to dependabot PRs that should automerge with bors r+, but that feels hacky.

Any ideas? Thanks!

I worked a bit with Renovate, another dependency management tool, to support bors automerging. Renovate already had the concept of multiple merge strategies. They added a new strategy that simply leaves a comment to merge the PR, and it can be configured to says “bors r+”. This is a little awkward, but it allowed the two tools to work together well.

Thanks, I’m trying out Renovate now. It seems a lot more full-featured than dependabot. I’m curious to see what Github will do with dependabot now that it has acquired it…