Automatic merge of GitHub security fixes

A few days ago, GitHub announced the release of a new tool to enhance security in your project. GitHub has been providing security vulnerabilities alerts for a while now. Whenever a library your project depends on has a security issue, you are notified.

However, as GitHub indicates, “industry data shows that more than 70 percent of vulnerabilities remain unpatched after 30 days”. Which isn’t good.

As GitHub acquired Dependabot, it will now create pull requests with the dependency update that your project needs in order to get secure.

A pull request created by Dependabot

You can enable this feature in the Security tab of your project:

Automatically Merging Security Pull Requests

While receiving automatic pull requests will help improving your project safety, those changes still need to be merged to be effective.

There’s no reason to manually review those changes. If they pass your automated test suite and CI system, they should just be merged.

This is where Mergify helps. Just add a pull request rule in your .mergify.yml file and be done with it:

pull_request_rules:
- name: automatic merge for Dependabot pull requests
conditions:
- author=dependabot[bot]
- status-success=Travis CI - Pull Request
actions:
merge:
method: merge

The status-success value should be replaced by whatever the name of your CI check is — Travis, CircleCI, Azure Pipelines, etc. You could add some more conditions if you want, just check out our documentation if you want to tweak this rule more.

With this new GitHub tool and Mergify, you don’t have to worry anymore about security issues. And if you’re doing continuous deployment, you’ll get those fixes in production without lifting a finger!