How to automate dependency updates in CI
Configure automated dependency update pull requests with grouping, scheduling, required CI, and safe auto-merge for low-risk patch updates.
What and why
Outdated dependencies accumulate security and compatibility debt. Automated update tools open pull requests as new versions appear, so updates become a steady trickle instead of a painful batch. This tutorial configures grouped, scheduled updates with safe auto-merge.
Prerequisites
- A repo with a dependency manifest and lockfile.
- A reliable test suite that runs in CI.
- Admin access to the repository.
Steps
1. Enable the update bot
Add .github/dependabot.yml to enable automated update pull requests. The bot watches your manifests and proposes upgrades.
2. Configure ecosystems and schedule
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
A weekly cadence keeps noise manageable while staying current.
3. Group related updates
groups:
dev-dependencies:
patterns: ["*"]
dependency-type: development
Grouping collapses many small PRs into one, reducing review overhead.
4. Require CI to pass
Every update PR must run your full test suite. Branch protection that requires green CI ensures no update merges without passing tests, which is what makes automation safe.
5. Auto-merge safe updates
- run: gh pr merge --auto --squash "$PR_URL"
if: steps.metadata.outputs.update-type == 'version-update:semver-patch'
Auto-merge patch-level updates once CI passes; hold minor and major versions for human review.
Verification
Wait for or trigger an update PR. Confirm it runs CI and, for a patch update, merges automatically after passing. Confirm a major-version PR stays open for review.
Next Steps
Add a security-only update channel for faster patching of vulnerabilities. Pin actions and base images for updates too. Monitor merged updates for regressions and tune which types auto-merge.
Prerequisites
- A repo with a dependency manifest
- A passing test suite in CI
- Repo admin access
Steps
- 1Enable the update bot
- 2Configure ecosystems and schedule
- 3Group related updates
- 4Require CI to pass
- 5Auto-merge safe updates
- 6Verify the workflow