Create a `.github/dependabot.yml` file to enable Dependabot version updates for your package ecosystems (e.g., npm, pip, docker) with a weekly or daily schedule
Add a GitHub Actions workflow that triggers on `pull_request` events from the `dependabot[bot]` actor; use the `gh` CLI or GitHub API to fetch the Dependabot PR metadata including `dependency-type` and `update-type`
Check the update type using the `dependabot/fetch-metadata` action which exposes outputs like `update-type` (version-update:semver-patch, semver-minor, semver-major) and `dependency-type` (direct, indirect)
If the update is patch or minor (and optionally only direct dependencies), approve the PR with `gh pr review --approve` using a token with `pull-requests: write` permission
Enable auto-merge on the PR with `gh pr merge --auto --squash` so it merges automatically once required status checks pass
Leave major version updates for human review by not approving them in the workflow — they will wait in the PR queue
Known gotchas
The `GITHUB_TOKEN` in a Dependabot-triggered workflow has read-only permissions by default in many configurations; use a PAT or a GitHub App token with explicit write permissions, or configure `permissions` in the workflow
Auto-merging requires branch protection rules to have at least one required status check configured — without required checks, PRs merge instantly before tests run
Dependabot PRs for grouped updates (when using the `groups` key in dependabot.yml) report a single update-type of the highest severity change in the group — a group containing a major update will block auto-merge for the entire group even if most packages are minor bumps
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp