dependabot v2 can't merge to protected branches

[ZebraFlesh]

Using dependabot v2 (AKA GitHub-native Dependabot), I am unable to have dependabot successfully execute a @dependabot merge command against a protected branch. When I issue the merge command in a comment on the PR, I get the standard You're not authorized to push to this branch. Visit https://docs.github.com/articles/about-protected-branches/ for more information. error. Dependabot v1 used a GitHub App which allowed me to add the dependabot-preview user to my branch protection rules. v2 seems to have changed things up by dropping the app, but now there's nothing for me to add to my branch protection rules. (The dependabot-preview user is still able to push to the protected branch, but v2 uses a user called dependabot so it doesn't match.)

[jurre]

Hi @ZebraFlesh, yeah this is a known issue that we're already tracking internally. Will keep you up to date when we have a fix for this, but unfortunately it's not straightforward so it might take a while before a fix for this lands.

[ZebraFlesh]

Thanks for the update. This issue is blocking me from upgrading to v2, so I'll definitely be keeping an eye.

[christoferolaison]

Any updates on this issue?

[starikcetin]

This is a very serious usability problem. Any updates yet?

[jurre]

This is a very serious usability problem. Any updates yet?

Does the newly landed automerge help for your usecase? https://github.blog/changelog/2021-02-04-pull-request-auto-merge-is-now-generally-available/

That way, dependabot doesn't have to perform the merge.

[ZebraFlesh]

That way, dependabot doesn't have to perform the merge.

I want the merge to be performed by dependabot, not myself. This is more accurate and provides a better commit history. Merges should also be fully automated; clicking something to enable auto merge on a PR goes against that grain. (Consider the problem at scale: I am not going to individually visit 5-10 PRs on several dozen repos, several times a week. Full automation is the way.)

[starikcetin]

Even though I am more on the safe side of things (going through the PRs one by one and testing them), I agree with @ZebraFlesh on this:

I want the merge to be performed by dependabot, not myself. This is more accurate and provides a better commit history.

[lucacome]

Any update on this issue @jurre ?

[Jamesking56]

Any update on this? Its been months?

[Alxzu]

Any update on this?

[aaiezza]

Please fix! :)

[jameswoodley]

Plus 1 on this issue. Totally broken my workflow

[FreePhoenix888]

+1. Fix it please

[renanrcp]

Any update on this? 2 years issue lol

[pavolloffay]

+1 on this issue

[jameswoodley]

Helllo? Is there any work going on on this issue?

[deivid-rodriguez]

Hello! Unfortunately we don't have any updates to share at the moment. We're working hard on providing a better experience, but we have too many competing priorities. We still hope to be able to allocate some time to fix this in the future.

[jlsjonas]

This is (imho) a serious regression preventing teams from correctly using paid-for features, that can't be too hard to fix unless very questionable design choices were made.

[Nishnha]

Good news! We are looking into this feature as part of this quarter's work.

We'll be looking into how we can integrate the Dependabot merge command (and upcoming auto-merge for security updates feature) into the repository team's upcoming repository rules platform.

The integration will allow devs to customize which Dependabot PRs can bypass branch protection rules based on targeting conditions defined by regex, such as all repos matching prod-.* and to branches matching dev\/.*

Will do my best to keep y'all updated. No timeline atm.

[rkoster]

@abdulapopoola could you provide a bit more context on why this issue is blocked?

[abezzub]

Is there an update on this issue?

[rushilsrivastava]

Is there a workaround for this issue in the meantime? Actions seem less than ideal, but better than nothing

[Nishnha]

Is there a workaround for this issue in the meantime? Actions seem less than ideal, but better than nothing

If you are using a GitHub App to merge pull requests, you can add the App to a team on your organization with the "bypass branch protections" role: https://github.blog/changelog/2022-08-18-bypass-branch-protections-with-a-new-permission/

You can also combine this with the with the Dependabot fetch-metadata action, but the PRs will say they were merged by the App, not Dependabot.

[D3PSI]

any updates here? this is a major PITA if I may say so, would appreciate a speedy implementation here, thanks!

[bratanon]

And 9 months have passed. Any updates here?