This blog uses a GitHub Action to automatically merge pull requests from dependabot so long as the Netlify deploy preview check succeeds. It was a bit of a pain to get going1, and always seemed like a process that GitHub could have made easier.
Of course, that was on purpose:
While I agree with Justin that researchers are more likely to audit packages than clients and supply chain attacks are worth solving, Accelerate2 makes a compelling case that in the meantime it’s better to deploy both good and bad packages faster than stall either. Besides, security-sensitive projects already know who they are and have integration processes for auditing dependency updates promptly; automerge is for the rest of us.
And it’s constantly breaking. ↩
Forsgren, Nicole, et al. Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations. IT Revolution, 2018. ↩