Name: dependabot/fetch-metadata
Extract information about the dependencies being updated by a Dependabot-generated PR.
Create a workflow file that contains a step that uses: dependabot/fetch-metadata@v2, e.g.
# .github/workflows/dependabot-prs.yml
name: Dependabot Pull Request
on: pull_request
jobs:
dependabot:
permissions:
pull-requests: read
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Fetch Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
with:
alert-lookup: true
compat-lookup: true
github-token: "${{ secrets.PAT_TOKEN }}"
Supported inputs are:
github-token (string)GITHUB_TOKEN secret${{ github.token }}alert-lookup or compat-lookup.alert-lookup (boolean)true, then populate the alert-state, ghsa-id and cvss outputs.falsegithub-token field must be set to a personal access token (PAT) or an installation access token (App Token). For more details, see thiscompat-lookup (boolean)true, then populate the compatibility-score output.falsegithub-token field must be set to a personal access token (PAT).skip-commit-verification (boolean)true, then the action will not expect the commits to have a verification signature. It is required to set this to 'true' in GitHub Enterprise Serverfalseskip-verification (boolean)true, the action will not validate the user or the commit verification statusfalseSubsequent actions will have access to the following outputs:
steps.dependabot-metadata.outputs.dependency-namessteps.dependabot-metadata.outputs.dependency-typedirect:production, direct:development and indirect. See the allow documentation for descriptions of each.steps.dependabot-metadata.outputs.update-typeversion-update:semver-major. For all possible values, see the ignore documentation.steps.dependabot-metadata.outputs.updated-dependencies-jsonsteps.dependabot-metadata.outputs.directorydirectory configuration that was used by dependabot for this updated Dependency.steps.dependabot-metadata.outputs.package-ecosystempackage-ecosystem configuration that was used by dependabot for this updated Dependency.steps.dependabot-metadata.outputs.target-branchtarget-branch configuration that was used by dependabot for this updated Dependency.steps.dependabot-metadata.outputs.previous-versionsteps.dependabot-metadata.outputs.new-versionsteps.dependabot-metadata.outputs.alert-statealert-lookup is true, this contains the current state of that alert (OPEN, FIXED or DISMISSED).steps.dependabot-metadata.outputs.ghsa-idalert-lookup is true, this contains the GHSA-ID of that alert.steps.dependabot-metadata.outputs.cvssalert-lookup is true, this contains the CVSS value of that alert (otherwise it contains 0).steps.dependabot-metadata.outputs.compatibility-scorecompat-lookup is true, this contains the compatibility score (otherwise it contains 0).steps.dependabot-metadata.outputs.maintainer-changessteps.dependabot-metadata.outputs.dependency-groupNote: By default, these outputs will only be populated if the target Pull Request was opened by Dependabot and contains
only Dependabot-created commits. To override, see skip-commit-verification / skip-verification.
This metadata can be used along with Action's expression syntax and the GitHub CLI to create useful automation for your Dependabot PRs.
[!NOTE] Workflows triggered by Dependabot on the
pull_requestevent run with a read-onlyGITHUB_TOKENand cannot access user-defined repository or organization secrets. The GitHub-provided token is still available, but only with read-only permissions (prefergithub.tokenwhen referring to that built-in token in examples). If your workflow needs write permissions or access to user-defined secrets, use thepull_request_targetevent or a separate workflow triggered byworkflow_run. The examples below usepull_request_targetfor this reason.
Since the dependabot/fetch-metadata Action will set a failure code if it cannot find any metadata, you can
have a permissive auto-approval on all Dependabot PRs like so:
[!NOTE] The
GITHUB_TOKENapproval will come from thegithub-actions[bot]user. If your branch protection rules use "Require approval of the most recent reviewable push" or restrict which users/teams can provide approving reviews, this approval may not satisfy your merge requirements. In those cases, consider using a PAT or GitHub App token instead, but store that credential as a secret, grant it the least privilege needed, and do not expose it to untrusted or PR-controlled code paths. This is especially important for workflows triggered bypull_request_target: do not make such secrets available to steps that run code from the pull request.
name: Dependabot auto-approve
on: pull_request_target
permissions:
pull-requests: write
jobs:
dependabot:
runs-on: ubuntu-latest
# Checking the author will prevent your Action run failing on non-Dependabot PRs
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
- uses: actions/checkout@v4
- name: Approve a PR if not already approved
run: |
gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];
then gh pr review --approve "$PR_URL"
else echo "PR already approved, skipping additional approvals to minimize emails/notification noise.";
fi
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
If you are using the auto-merge feature on your repository,
you can set up an action that will enable Dependabot PRs to merge once CI and other branch protection rules are met. Enabling auto-merge requires write permissions on the repository. When using pull_request_target, the GITHUB_TOKEN has read/write access and satisfies this requirement when configured with contents: write and pull-requests: write.
For example, if you want to automatically merge all patch updates to Rails:
name: Dependabot auto-merge
on: pull_request_target
permissions:
pull-requests: write
contents: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
- name: Enable auto-merge for Dependabot PRs
if: ${{contains(steps.dependabot-metadata.outputs.dependency-names, 'rails') && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}}
run: gh pr merge --auto --merge "${{github.event.pull_request.html_url}}"
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
If you have other automation or triage workflows based on GitHub labels, you can configure an action to assign these based on the metadata.
For example, if you want to flag all production dependency updates with a label:
name: Dependabot auto-label
on: pull_request_target
permissions:
pull-requests: write
issues: write
repository-projects: write
jobs:
dependabot:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo'
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
- name: Add a label for all production dependencies
if: ${{ steps.dependabot-metadata.outputs.dependency-type == 'direct:production' }}
run: gh pr edit "${{github.event.pull_request.html_url}}" --add-label "production"
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
First, create a GitHub App and set the appropriate permissions.
For example, to use the features below, the minimum permissions required for the GitHub App are as follows:
alert-lookup : Dependabot alerts: Read onlyPlease add any necessary permissions for your job as needed.
The following is an example of using an installation access token (App Token) in github-token.
```yml on: pull_request jobs: dependabot: runs-on: ubuntu-latest if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'owner/my_repo' steps: - uses: actions/create-github-app-token@v2 id: app-token with: # Store these as repository or organization GitHub Dependabot secrets # (e.g. Settings → Secrets and variables → Dependabot → GH_APP_ID, GH_APP_PRIVATE_KEY) app-id: ${{ secrets.GH_APP_ID }} # GitHub App ID private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} # GitHub App Private key
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
wi
$ claude mcp add fetch-metadata \
-- python -m otcore.mcp_server <graph>