Dependency Automation
Required ecosystems
Section titled “Required ecosystems”Enable Dependabot for GitHub Actions and each applicable ecosystem: npm, uv/PyPI, Docker, Terraform, and others supported by the repository.
Schedule routine updates weekly, group compatible patches where useful, and limit concurrent PRs to preserve signal. Security updates receive risk-based priority.
Workflow dependencies
Section titled “Workflow dependencies”Common workflows are referenced by an approved major tag or immutable SHA. Never reference @main from production repositories. Dependabot can propose version updates; Platform Engineering publishes release notes and migration guidance for breaking workflow changes.
Merge policy
Section titled “Merge policy”Automated merge is allowed only for low-risk patch updates after all checks pass and repository owners explicitly enable it. Major runtime, framework, cloud SDK, provider, or base-image changes require human review and targeted regression.