GitHub-native Dependabot can't merge to protect branch

I’m trying to migrate from dependabot-preview to the GitHub-native Dependabot. One issue I’m running into is branch protections: once a PR is ready to merge, I’ve tried issuing a @dependabot merge command. Unfortunately this runs into branch protection rules. With dependabot-preview, you could add the dependabot-preview app as an app with push access to the branch. However, I’m not seeing an equivalent app for GitHub-native Dependabot.

How can I get GitHub-native Dependabot to successfully execute the merge command against a protected branch?

1 Like

Hi there @zebraflesh – I love your name and av =D

So you should just be able to add Dependabot Preview to the list of users who are allowed to push (from the protected branch settings page). Note that I shamelessly cmd+c/cmd+v’d this:

Can you let us know if you’re running into any particular issue in adding the bot to your protected branch’s settings?

1 Like

The dependabot-preview user is already allowed to push to the protected branch. However, this PR is from the dependabot user (AKA GitHub-native Dependabot). Searching for dependabot in the list of users to add to the branch protection yields a single result of dependabot-preview.

Hey @zebraflesh I’m so sorry. I now realize I’m totally looking at outdated information and the post I linked to is not at all relevant anymore. Also, you straight up said you had the preview added as a privileged user to your branch. Yikes; not my best…

I think there is more information that will be helpful, though.

Is this a public repo? If so, got a link? If not, no worries!

Though the main difference is that the preview had a user that was required to have privileges. With the released Dependabot, it’s managed in the platform itself and there’s no user to add to your repositories.

Dependabot features are located in /{owner}/{repo}/settings/security_analysis.

I really hope this is more helpful than my first response! :crossed_fingers:

This is a private repo. There doesn’t seem to be a setting in /settings/security_analysis that would allow me to grant access to protected branches.

Hey @zebraflesh – after some more diggin’, it looks like auto-merges aren’t quite possible with Dependabot, as-is.

This issue discusses your options (use Actions) in more detail.

This comment outlines the steps to create an Actions workflow which leverages Dependabot and mentions the configuration required for private repos.

1 Like

Thanks, but that still doesn’t answer my initial question: how to get a v2 @dependabot merge command to succeed against a protected branch. Whether or not I’m using GitHub Actions is orthogonal to this problem: Dependabot cannot execute the command (via a PR comment) and merge to the protected branch. The comment which you highlighted is how to automate making the PR comment, but it would still fail to merge for me because of branch protections.

1 Like