One of the recurring themes of software development is patching security issues.
Most repository hosting services have fairly good issue reporting at this point, but many
organizations still struggle to apply those fixes in a timely fashion.
This past week we were discussing how to reduce the overhead of this process,
and I was curious: can you just auto-merge Github Dependabot pull-requests?
It turns out, [the answer is yes], and it works pretty well.
You get control over which types of updates (patches, minor updates, major updates, etc) you want
to auto-merge, and it will also respect your automated checks.
If you have great CI/CD that runs blocking linting, typing and tests, then this works
particularly well.
If you don’t, then, well, this will be an effective mechanism
to get you to having good linting, typing, and tests afer traversing a small ocean of tears.

Lethain, authored by Will Larson, offers a unique perspective on engineering management, leadership, and organizational dynamics. Developers and engineering leaders can explore topics such as team building, career growth, and organizational design, gaining insights into building high-impact engineering organizations. With thoughtful reflections and actionable advice, Lethain serves as a resource for those navigating the complexities of engineering leadership.

Irrational Exuberance

Dependabot PRs can be automatically merged on GitHub to reduce the overhead of applying security patches. The setup involves creating a GitHub Actions workflow that approves and auto-merges patch and minor version updates, enabling auto-merge in repository settings, and ensuring proper CI/CD checks are in place. The workflow respects branch protection rules and automated tests, making it effective for repositories with robust linting, typing, and testing infrastructure.

Automatically merging dependabot PRs