Skip to content

Dependency Automation

Enable Dependabot for GitHub Actions and each applicable ecosystem: npm, uv/PyPI, Docker, Terraform, and others supported by the repository.

Schedule routine updates weekly, group compatible patches where useful, and limit concurrent PRs to preserve signal. Security updates receive risk-based priority.

Common workflows are referenced by an approved major tag or immutable SHA. Never reference @main from production repositories. Dependabot can propose version updates; Platform Engineering publishes release notes and migration guidance for breaking workflow changes.

Automated merge is allowed only for low-risk patch updates after all checks pass and repository owners explicitly enable it. Major runtime, framework, cloud SDK, provider, or base-image changes require human review and targeted regression.