Is there a safe way to merge without @dependabot merge

[slifty]

I had been relying on @dependabot merge to help protect my projects from dependabot phishing attacks on my repository -- the logic being that if someone attempts to credibly APPEAR as dependabot opens a PR, and I fail to detect that spoofing in my review, @dependabot merge would be a final safeguard because the attacker would not have the rights to merge.

I saw that this feature is being deprecated, and the guidance is to use GitHub UX to perform the action. My concern is that using the UX would remove that final auth-based safeguard.

Does the dependabot team have any suggestions for how I might maintain that layer of safety / avoid human error in my review process?

After posting this I see there is also a feedback thread on the broader GH community page too: https://github.com/orgs/community/discussions/176097

[ascopes]

I am concerned about this as well. Automerge doesn't show as an option for users who have the ability to override merge status checks, so this is an oversight for pretty much every single small project.

[samenick]

As for me, it’s really helpful to merge dependencies with a comment. It’s useful if Dependabot keeps rebasing due to conflicts, but you’re sure that everything is fine with the update.
However, starting this January, I’ll have to wait for each rebase and merge it manually, since the merge command will be removed.

For JS/TS projects, it’s going to be a real pain in the ass 😕