Dependency Review¶

Analyze Dependabot, Renovate, and Updatecli dependency update PRs.

Workflow source: gh-aw-dependency-review.md

How it works¶

Triggered when Dependabot, Renovate, or Updatecli opens or updates a PR. Classifies each dependency by ecosystem (GitHub Actions, Go, npm, Python, Java, Buildkite, etc.), runs shared checks (changelog, usage analysis, compatibility, testability), and applies ecosystem-specific checks where relevant. Posts a structured analysis comment and optionally labels the PR.

Quick Install¶

mkdir -p .github/workflows && curl -sL \
  https://raw.githubusercontent.com/elastic/ai-github-actions/v0/gh-agent-workflows/dependency-review/example.yml \
  -o .github/workflows/dependency-review.yml

Trigger¶

Event	Types	Condition
`pull_request`	`opened`, `synchronize`, `reopened`	PR author is `dependabot[bot]` or `renovate[bot]`, or branch name starts with `updatecli`

Inputs¶

Input	Description	Required	Default
`additional-instructions`	Repo-specific instructions appended to the agent prompt. Use this to define label semantics for `classification-labels`.	No	`""`
`setup-commands`	Shell commands run before the agent starts	No	`""`
`allowed-bot-users`	Allowlisted bot actor usernames (comma-separated). For Updatecli, add your repo's updatecli bot actor here (e.g. `github-actions[bot]` or a custom app bot).	No	`github-actions[bot]`
`classification-labels`	Comma-separated list of labels the agent may apply (e.g. `needs-human-review,higher-risk,merge-ready`). If empty, no labels are applied. Define label semantics in `additional-instructions`.	No	`""`

Safe Outputs¶

add-comment — post an analysis comment on the PR (max 1)
add-labels — apply labels from the configured classification-labels allowlist (max 3); semantics defined via additional-instructions

Manual usage with mention-in-pr¶

You can also analyze any dependency update PR on demand using mention-in-pr. Comment on the PR with:

/ai Analyze this dependency update PR: classify each dependency by ecosystem, check for breaking changes, summarize changelog highlights, assess usage compatibility, and note testability in PR context.

Example Workflow¶

name: Dependency Review
on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  actions: read
  contents: read
  issues: write
  pull-requests: write

jobs:
  run:
    if: >-
      github.event.pull_request.user.login == 'dependabot[bot]' ||
      github.event.pull_request.user.login == 'renovate[bot]' ||
      startsWith(github.head_ref, 'updatecli')
    uses: elastic/ai-github-actions/.github/workflows/gh-aw-dependency-review.lock.yml@v0
    # with:
      # Configure which labels the agent may apply and define their semantics in additional-instructions.
      # classification-labels: "needs-human-review,higher-risk,merge-ready"
      # additional-instructions: |
      #   - `needs-human-review`: Apply when breaking changes are found, a major version bump, unverified SHA, or mutable tag move.
      #   - `higher-risk`: Apply when the dependency is only used in push/release/schedule/dispatch workflows.
      #   - `merge-ready`: Apply when all dependency updates are safe to merge without human review.
      # For updatecli: uncomment and set your repo's updatecli bot actor (it varies per repo).
      # allowed-bot-users: "github-actions[bot]"
    secrets:
      COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}