Auto-Merge Dependabot Patch PRs

Overview

This flow safely auto-merges approved Dependabot patch-level (x.y.Z) pull requests and posts a confirmation message to a Teams channel. It runs on a 30-minute recurrence and uses the GitHub search API with qualifiers to find Dependabot PRs that are open, have at least one approving review, and have all required status checks passing.

Why it matters: Patch-level dependency bumps are almost always safe (bug fixes and security patches, no API changes). Manually merging them is tedious and creates review fatigue. Automating the patch tier lets your team focus reviewer attention on minor/major bumps where breaking changes are possible.

Use Case

Most patch bumps are approved quickly but sit in the PR queue because no one wants to be the one to click merge. This flow detects patch PRs that are already approved and have green CI, merges them, and announces the merge in Teams. Minor and major version bumps are deliberately ignored so humans still review them.

The flow is ideal for teams that:

• A team uses Dependabot to keep dependencies up to date.
• Most patch bumps are approved quickly but sit in the PR queue because no one wants to be the one to click merge.
• This flow detects patch PRs that are already approved + have green CI, merges them, and announces the merge in Teams.
• Minor and major version bumps are deliberately ignored so humans still review them.

Flow Architecture

Environment Variables

Connectors & Connections

Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.

Customization Guide

Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.

Change the target repo

Update flowlibs_GitHubOwner and flowlibs_GitHubRepo environment variable values to point the flow at a different repository.

Route announcements to a different Teams channel

Update flowlibs_TeamsGroupId and flowlibs_TeamsChannelId to redirect the merge confirmation posts to another channel.

Use a different merge method

Set flowlibs_DependabotMergeMethod to one of merge, squash, or rebase. GitHub will reject any other value with a 422.

Widen the scope beyond patch bumps

Remove or relax the If_Is_Patch_Level_Bump condition. For example, merging minor bumps (e.g. 1.2.3 to 1.3.0) means keeping the from == to check OFF for the major segment only. Do not remove the review:approved status:success qualifiers - the flow relies on server-side approval + CI gating.

Monitor multiple repos

Duplicate the flow or refactor it to loop a comma-separated list of repos. The search query can be extended with multiple repo: qualifiers if they share a single owner.

Change the scan interval

Edit the Recurrence trigger frequency. GitHub search API is rate-limited (30 requests/minute authenticated), so intervals below 5 minutes risk throttling across concurrent flows.

Key Expressions

The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.

@concat(
  'is:pr is:open review:approved status:success author:app/',
  variables('varBotLogin'),
  ' repo:',
  variables('varGitHubOwner'),
  '/',
  variables('varGitHubRepo')
)

@coalesce(
  body('Search_for_Approved_Dependabot_PRs')?['items'],
  body('Search_for_Approved_Dependabot_PRs')?['value'],
  createArray()
)

@split(items('For_Each_Candidate_PR')?['title'], 'from ')[1]

@and(
  equals(outputs('Compose_From_MajorMinor'), outputs('Compose_To_MajorMinor')),
  greater(length(outputs('Compose_From_MajorMinor')), 0),
  startsWith(items('For_Each_Candidate_PR')?['title'], 'Bump')
)