dependabot-pr-automation

Dependabot PR Automation for chainloop

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "dependabot-pr-automation" with this command: npx skills add chainloop-dev/chainloop/chainloop-dev-chainloop-dependabot-pr-automation

Dependabot PR Automation for chainloop

This skill reviews open Dependabot pull requests, assesses their risk, approves safe ones, and merges them.

Repository Info

Item Value

Owner chainloop-dev

Repo chainloop

Step 1: List Open Dependabot PRs

Use mcp__github__list_pull_requests to fetch open PRs:

  • owner : chainloop-dev

  • repo : chainloop

  • state : open

Filter the results to only include PRs authored by dependabot[bot] . Collect each PR's number, title, head branch, and labels.

If there are no open Dependabot PRs, report that and stop.

Step 2: Assess Risk for Each PR

For each Dependabot PR, determine the risk level using these criteria:

2a. Parse Version Bump from PR Title

Dependabot PR titles follow the pattern: Bump <package> from <old-version> to <new-version> . Extract the old and new versions and classify the bump:

Bump Type Risk Level Criteria

Patch (x.x.OLD → x.x.NEW) Low Only the patch segment changed

Minor (x.OLD.x → x.NEW.x) Medium The minor segment changed

Major (OLD.x.x → NEW.x.x) High The major segment changed

2b. Check CI / Check Status

Use mcp__github__get_pull_request_status to retrieve the CI check status for each PR. A PR is considered CI-passing only if all checks have concluded with a success state.

2c. Inspect the Diff

Use mcp__github__get_pull_request_files to review the files changed. Flag any PR that modifies unexpected files beyond dependency manifests (go.mod , go.sum , package.json , yarn.lock , Dockerfile* , .github/workflows/* ).

2d. Identify Dependency Scope

  • Development-only (test frameworks, linters, dev tools) → Lower risk

  • Production (runtime dependencies) → Higher risk

  • GitHub Actions (workflow dependencies) → Typically low risk for minor/patch bumps

2e. Final Risk Matrix

Version Bump CI Passing Only Manifest Files Final Risk Action

Patch Yes Yes Low Auto-approve and merge

Patch No Yes Medium Approve but do not merge

Minor Yes Yes Medium Auto-approve and merge

Minor Yes No High Do not approve

Minor No * High Do not approve

Major * * High Do not approve

GitHub Actions patch and minor bumps with passing CI → Low risk.

Step 3: Approve Eligible PRs

Use mcp__github__create_pull_request_review with event: APPROVE for eligible PRs.

Step 4: Merge Approved PRs

Use mcp__github__merge_pull_request with merge_method: squash . If the merge fails, note the failure and continue.

Step 5: Report Results

After processing all PRs, produce a summary table showing merged, approved-pending, flagged, and errored PRs.

Important Notes

  • Never force-merge.

  • Respect branch protection rules.

  • Go module PRs may need go mod tidy after merge.

  • Process oldest-first to avoid dependency tree conflicts.

  • Security-labeled PRs should be prioritized; treat security patch/minor bumps as Low risk if CI passes.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Web3

upgrading-golang

No summary provided by upstream source.

Repository SourceNeeds Review
-36
chainloop-dev
Web3

custom-builtin-functions

No summary provided by upstream source.

Repository SourceNeeds Review
-32
chainloop-dev
Web3

upgrading-chart

No summary provided by upstream source.

Repository SourceNeeds Review
-31
chainloop-dev