Skip to main content

How to automate dependency updates in CI

Configure automated dependency update pull requests with grouping, scheduling, required CI, and safe auto-merge for low-risk patch updates.

Difficulty
Beginner
Duration
35 minutes
Steps
6

What and why

Outdated dependencies accumulate security and compatibility debt. Automated update tools open pull requests as new versions appear, so updates become a steady trickle instead of a painful batch. This tutorial configures grouped, scheduled updates with safe auto-merge.

Prerequisites

  • A repo with a dependency manifest and lockfile.
  • A reliable test suite that runs in CI.
  • Admin access to the repository.

Steps

1. Enable the update bot

Add .github/dependabot.yml to enable automated update pull requests. The bot watches your manifests and proposes upgrades.

2. Configure ecosystems and schedule

version: 2
updates:
  - package-ecosystem: npm
    directory: "/"
    schedule:
      interval: weekly

A weekly cadence keeps noise manageable while staying current.

3. Group related updates

    groups:
      dev-dependencies:
        patterns: ["*"]
        dependency-type: development

Grouping collapses many small PRs into one, reducing review overhead.

4. Require CI to pass

Every update PR must run your full test suite. Branch protection that requires green CI ensures no update merges without passing tests, which is what makes automation safe.

5. Auto-merge safe updates

      - run: gh pr merge --auto --squash "$PR_URL"
        if: steps.metadata.outputs.update-type == 'version-update:semver-patch'

Auto-merge patch-level updates once CI passes; hold minor and major versions for human review.

Verification

Wait for or trigger an update PR. Confirm it runs CI and, for a patch update, merges automatically after passing. Confirm a major-version PR stays open for review.

Next Steps

Add a security-only update channel for faster patching of vulnerabilities. Pin actions and base images for updates too. Monitor merged updates for regressions and tune which types auto-merge.

Prerequisites

  • A repo with a dependency manifest
  • A passing test suite in CI
  • Repo admin access

Steps

  • 1
    Enable the update bot
  • 2
    Configure ecosystems and schedule
  • 3
    Group related updates
  • 4
    Require CI to pass
  • 5
    Auto-merge safe updates
  • 6
    Verify the workflow

Category

CI/CD