Update May 2026: Given there's an explosion of supply chain attacks recently, I decided to remove this workflow from my own repo, so leaving this post here, but more for historical purposes. Even with the recommendations from March 2026 below, I just don't feel comfortable atm letting these auto-merge.
Update March 2026: Given the Axios supply chain attack, revising this. It's still convenient to let dependabot merge on it's own if your CI/CD pipeline checks pass, but probably wiser to be a litte more cautious. I know socket.dev has a GitHub app you can install, and you can harden your npm dependency updates like we did at work.
Dependabot opens PRs automatically. That part most people have set up. But then those PRs just sit there until you get around to reviewing and merging them. I had 6 open across one of my repos recently. None of them were risky. I just didn't feel like giving a review and approving, then merging.
If your CI passes and the update is a patch or minor version bump, there's not much to review. You're going to merge it. So why not let it happen automatically?
I've added this to two repos now and it's one of those small things that quietly removes friction from your day.
First, enable auto-merge on your repo
Before the workflow can do anything, you need to allow auto-merge in your repository settings. Go to e.g. https://github.com/yourorg-username/your-repo/settings/actions and scroll down to the Pull Requests section, and check Allow auto-merge.
This isn't Dependabot-specific, but it is required for this to work. Without it, the gh pr merge --auto command in the workflow will fail. In fact this is what I do to automate using dev.to as a headless CMS for my blog!
The workflow
Create .github/workflows/auto-merge-dependabot.yml in your repo:
name: Auto-merge Dependabot PRs
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
auto-merge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
The if: github.actor == 'dependabot[bot]' condition makes sure this only runs on Dependabot PRs, not every PR that comes in.
The two steps do exactly what they say: approve the PR, then enable auto-merge with squash. GitHub handles the actual merge once all your required checks pass.
Here's an example of it not auto-merging after auto-approval because checks failed.
chore(deps-dev): bump eslint from 9.39.2 to 10.0.3
#809
![dependabot[bot] avatar](https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Favatars.githubusercontent.com%2Fin%2F29110%3Fv%3D4){kind=avatar}
Bumps eslint from 9.39.2 to 10.0.3.
Release notes
Sourced from eslint's releases.
e511b58fix: update eslint (#20595) (renovate[bot])f4c9cf9fix: include variable name inno-useless-assignmentmessage (#20581) (sethamus)ee9ff31fix: update dependency minimatch to ^10.2.4 (#20562) (Milos Djermanovic)
9fc31b0docs: Update README (GitHub Actions Bot)4efaa36docs: add info box foreslint-plugin-eslint-comments(#20570) (DesselBane)23b2759docs: add v10 migration guide link to Use docs index (#20577) (Pixel998)80259a9docs: Remove deprecated eslintrc documentation files (#20472) (Copilot)9b9b4badocs: fix typo in no-await-in-loop documentation (#20575) (Pixel998)e7d72a7docs: document TypeScript 5.3 minimum supported version (#20547) (sethamus)
ef8fb92chore: package.json update for eslint-config-eslint release (Jenkins)e8f2104chore: updates for v9.39.4 release (Jenkins)5cd1604refactor: simplify isCombiningCharacter helper (#20524) (Huáng Jùnliàng)70ff1d0chore: eslint-config-eslint require Node^20.19.0 || ^22.13.0 || >=24(#20586) (Milos Djermanovic)e32df71chore: update eslint-plugin-eslint-comments, remove legacy-peer-deps (#20576) (Milos Djermanovic)53ca6eechore: disableeslint-comments/no-unused-disablerule (#20578) (Milos Djermanovic)e121895ci: pin Node.js 25.6.1 (#20559) (Milos Djermanovic)efc5aefchore: updatetsconfig.jsonineslint-config-eslint(#20551) (Francesco Trotta)
13eeedbdocs: link rule type explanation to CLI option --fix-type (#20548) (Mike McCready)98cbf6bdocs: update migration guide per Program range change (#20534) (Huáng Jùnliàng)61a2405docs: add missing semicolon in vars-on-top rule example (#20533) (Abilash)
951223bchore: update dependency@eslint/eslintrcto ^3.3.4 (#20553) (renovate[bot])6aa1afechore: update dependency eslint-plugin-jsdoc to ^62.7.0 (#20536) (Milos Djermanovic)
c87d5bdfix: update eslint (#20531) (renovate[bot])d841001fix: updateminimatchto10.2.1to address security vulnerabilities (#20519) (루밀LuMir)04c2147fix: update error message for unused suppressions (#20496) (fnx)38b089cfix: update dependency@eslint/config-arrayto ^0.23.1 (#20484) (renovate[bot])
... (truncated)
Commits
-
bfce7ea10.0.3 -
d44ced8Build: changelog update for 10.0.3 -
e511b58fix: update eslint (#20595) -
ef8fb92chore: package.json update for eslint-config-eslint release -
e8f2104chore: updates for v9.39.4 release -
5cd1604refactor: simplify isCombiningCharacter helper (#20524) -
9fc31b0docs: Update README -
70ff1d0chore: eslint-config-eslint require Node^20.19.0 || ^22.13.0 || >=24(#20586) -
f4c9cf9fix: include variable name inno-useless-assignmentmessage (#20581) -
4efaa36docs: add info box foreslint-plugin-eslint-comments(#20570) - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebasewill rebase this PR -
@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it -
@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency -
@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Note: GITHUB_TOKEN is automatically available in every GitHub Actions workflow, no setup needed on your end.
What it looks like
Once it's set up and a Dependabot PR comes in, you'll see the github-actions bot approve the PR and enable auto-merge. The PR then waits for your required checks to complete and merges itself when everything is green.
A note on safety
This setup is only as safe as your CI. If you don't have required checks configured, the PR can auto-merge the moment the workflow approves it. At a minimum you want a build check required, tests if you have them. Branch protection rules still apply. If a required check fails, the PR won't merge. The workflow isn't bypassing anything, it's just handling the approval and queuing up the merge for you.
Being more selective
This workflow approves and enables auto-merge on every Dependabot PR regardless of whether it's a patch, minor, or major update. If you want to be more selective, you can use the dependabot/fetch-metadata action to check the update type and only proceed for patch and minor updates. The GitHub docs on automating Dependabot cover that in more detail.
If you want to see a PR that went through this whole flow check out the PR below.
chore(deps): bump rollup from 4.54.0 to 4.59.0
#790
Bumps rollup from 4.54.0 to 4.59.0.
Release notes
Sourced from rollup's releases.
2026-02-22
- Throw when the generated bundle contains paths that would leave the output directory (#6276)
- #6275: Validate bundle stays within output dir (
@lukastaegert)2026-02-20
- Also support
__NO_SIDE_EFFECTS__annotation before variable declarations declaring function expressions (#6272)
- #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (
@njg7194,@lukastaegert)- #6259: docs: Correct typo and improve sentence structure in docs for
output.experimentalMinChunkSize(@millerick,@lukastaegert)- #6260: fix(deps): update rust crate swc_compiler_base to v47 (
@renovate[bot],@lukastaegert)- #6261: fix(deps): lock file maintenance minor/patch updates (
@renovate[bot],@lukastaegert)- #6262: Avoid unnecessary cloning of the code string (
@lukastaegert)- #6263: fix(deps): update minor/patch updates (
@renovate[bot],@lukastaegert)- #6265: chore(deps): lock file maintenance (
@renovate[bot])- #6267: fix(deps): update minor/patch updates (
@renovate[bot])- #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (
@renovate[bot],@lukastaegert)- #6269: chore(deps): update dependency lru-cache to v11 (
@renovate[bot])- #6270: chore(deps): lock file maintenance (
@renovate[bot])- #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (
@lukastaegert)2026-01-30
- Fix heap corruption issue in Windows (#6251)
- Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)
- #6251: fix: Isolate and cache
process.report.getReport()calls in a child process for robust environment detection (@alan-agius4,@lukastaegert)
... (truncated)
Changelog
Sourced from rollup's changelog.
2026-02-22
- Throw when the generated bundle contains paths that would leave the output directory (#6276)
- #6275: Validate bundle stays within output dir (
@lukastaegert)2026-02-20
- Also support
__NO_SIDE_EFFECTS__annotation before variable declarations declaring function expressions (#6272)
- #6256: docs: document PreRenderedChunk properties including isDynamicEntry and isImplicitEntry (
@njg7194,@lukastaegert)- #6259: docs: Correct typo and improve sentence structure in docs for
output.experimentalMinChunkSize(@millerick,@lukastaegert)- #6260: fix(deps): update rust crate swc_compiler_base to v47 (
@renovate[bot],@lukastaegert)- #6261: fix(deps): lock file maintenance minor/patch updates (
@renovate[bot],@lukastaegert)- #6262: Avoid unnecessary cloning of the code string (
@lukastaegert)- #6263: fix(deps): update minor/patch updates (
@renovate[bot],@lukastaegert)- #6265: chore(deps): lock file maintenance (
@renovate[bot])- #6267: fix(deps): update minor/patch updates (
@renovate[bot])- #6268: chore(deps): update dependency eslint-plugin-unicorn to v63 (
@renovate[bot],@lukastaegert)- #6269: chore(deps): update dependency lru-cache to v11 (
@renovate[bot])- #6270: chore(deps): lock file maintenance (
@renovate[bot])- #6272: forward NO_SIDE_EFFECTS annotations to function expressions in variable declarations (
@lukastaegert)2026-01-30
- Fix heap corruption issue in Windows (#6251)
- Ensure exports of a dynamic import are fully included when called from a try...catch (#6254)
- #6251: fix: Isolate and cache
process.report.getReport()calls in a child process for robust environment detection (@alan-agius4,@lukastaegert)- #6252: chore(deps): update dependency lru-cache to v11 (
@renovate[bot])- #6253: chore(deps): lock file maintenance minor/patch updates (
@renovate[bot],@lukastaegert)- #6254: Fully include dynamic imports in a try-catch (
@lukastaegert)
... (truncated)
Commits
-
ae846954.59.0 -
b39616eUpdate audit-resolve -
c60770dValidate bundle stays within output dir (#6275) -
33f39c14.58.0 -
b61c408forward NO_SIDE_EFFECTS annotations to function expressions in variable decla... -
7f00689Extend agent instructions -
e7b2b85chore(deps): lock file maintenance (#6270) -
2aa5da9fix(deps): update minor/patch updates (#6267) -
4319837chore(deps): update dependency lru-cache to v11 (#6269) -
c3b6b4bchore(deps): update dependency eslint-plugin-unicorn to v63 (#6268) - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebasewill rebase this PR -
@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it -
@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency -
@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
This has taken a whole category of busywork off my plate for my personal site and my Clawspace project.
nickytonline
/
nickytdotco
Source code for my web site nickyt.co
Nick Taylor's Personal Website
This is the source code for nickyt.co, Nick Taylor's personal website and blog.
Tech Stack
- Astro - Modern web framework for building fast, content-focused websites
- React - For interactive UI components
- MDX - For blog posts and content with embedded components
- Tailwind CSS - Utility-first CSS framework
- TypeScript - Type-safe JavaScript
- Expressive Code - Syntax highlighting for code blocks
- Netlify - Hosting and deployment platform
- Node.js 22+ - Runtime environment
Terminal commands
Install the Vite+ CLI (one-time setup)
curl -fsSL https://vite.plus | bash
See the Vite+ guide for more details.
Install the dependencies
vp install
Run in dev mode
vp run dev
Build a production version of the site
vp run build
Test the production site locally
vp run preview
Styling
- Tailwind v4 is configured in
tailwind.config.cjsandpostcss.config.cjs. - Global styles are loaded from
src/styles/tailwind.css, which importssrc/styles/legacy.cssfor bespoke rules.
Licensing
This…
nickytonline
/
clawspace
Clawspace is a browser-based file explorer/editor for an OpenClaw workspace.
Clawspace
Clawspace is a browser-based file explorer/editor for an OpenClaw workspace.
It gives you:
-
File and directory browsing (
/workspace)
-
Timeline view (
/timeline) with folder filters and pagination
-
Configurable default home view for
/(Files or Timeline) -
Monaco editor for text files
-
Save/revert/copy actions
-
Auto-format on blur (supported file types)
-
Basic hardening for writes (path checks, blocked files, audit log)
Why this exists
OpenClaw users often want a fast, authenticated UI to inspect and edit workspace files without opening SSH/terminal sessions.
Clawspace is designed to run on your LAN, or behind a trusted auth proxy (for example Pomerium + OpenClaw trusted-proxy mode).
Install
Install the Vite+ CLI (one-time setup)
curl -fsSL https://vite.plus | bash
See the Vite+ guide for more details.
Install the dependencies
git clone https://github.com/nickytonline/clawspace
cd clawspace
vp install
Quick start
vp run build
vp run clawspace:serve
Default port is 6789.
Development
vp run…For work projects there would probably be some push back on this potentially, but if you have a really great CI/CD pipeline with checks, definitely consider doing this or at least having a discussion with your team.
If you want to stay in touch, all my socials are on nickyt.online.
Until the next one!