Hi there @ZebraFlesh – I love your name and av =D

So you should just be able to add Dependabot Preview to the list of users who are allowed to push (from the protected branch settings page). Note that I shamelessly cmd+c/cmd+v’d this:

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2019-09-19" data-time="02:03:30" data-timezone="UTC">02:03AM - 19 Sep 19 UTC</span>
  </div>

    <div class="date">
      closed <span class="discourse-local-date" data-format="ll" data-date="2019-09-20" data-time="07:39:15" data-timezone="UTC">07:39AM - 20 Sep 19 UTC</span>
    </div>

  <div class="user">
    <a href="https://github.com/rtpg" target="_blank" rel="noopener">
      <img alt="rtpg" src="https://user-images.githubusercontent.com/62281706/181080645-45fa7858-9234-4757-9bbc-90c3638ecd82.jpeg" class="onebox-avatar-inline" width="20" height="20">
      rtpg
    </a>
  </div>
</div>

Can you let us know if you’re running into any particular issue in adding the bot to your protected branch’s settings?

The dependabot-preview user is already allowed to push to the protected branch. However, this PR is from the dependabot user (AKA GitHub-native Dependabot). Searching for dependabot in the list of users to add to the branch protection yields a single result of dependabot-preview.

Hey @ZebraFlesh I’m so sorry. I now realize I’m totally looking at outdated information and the post I linked to is not at all relevant anymore. Also, you straight up said you had the preview added as a privileged user to your branch. Yikes; not my best…

I think there is more information that will be helpful, though.

Is this a public repo? If so, got a link? If not, no worries!

Though the main difference is that the preview had a user that was required to have privileges. With the released Dependabot, it’s managed in the platform itself and there’s no user to add to your repositories.

Dependabot features are located in /{owner}/{repo}/settings/security_analysis.

I really hope this is more helpful than my first response! 🤞

This is a private repo. There doesn’t seem to be a setting in /settings/security_analysis that would allow me to grant access to protected branches.

Thanks, but that still doesn’t answer my initial question: how to get a v2 @dependabot merge command to succeed against a protected branch. Whether or not I’m using GitHub Actions is orthogonal to this problem: Dependabot cannot execute the command (via a PR comment) and merge to the protected branch. The comment which you highlighted is how to automate making the PR comment, but it would still fail to merge for me because of branch protections.

I’ll have to agree with @ZebraFlesh. Using an action to tell dependabot to merge is not a solution to the issue here.
In fact, I’m already doing this for all of my repos, but this fails for those which have a protected master branch. In this case, dependabot fails with the following error:

You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information.

It is also not a solution to automate the merge ourselves, because dependabot takes care of auto-updating the PRs if there is a conflict with the target branch.