Dependabot PR Automation for chainloop

This skill reviews open Dependabot pull requests, assesses their risk, approves safe ones, and merges them.

Repository Info

Item	Value
Owner	chainloop-dev
Repo	chainloop

Step 1: List Open Dependabot PRs

Use mcp__github__list_pull_requests to fetch open PRs:

• owner: chainloop-dev
• repo: chainloop
• state: open

Filter the results to only include PRs authored by dependabot[bot]. Collect each PR's number, title, head branch, and labels.

If there are no open Dependabot PRs, report that and stop.

Step 2: Assess Risk for Each PR

For each Dependabot PR, determine the risk level using these criteria:

2a. Parse Version Bump from PR Title

Dependabot PR titles follow the pattern: Bump <package> from <old-version> to <new-version>. Extract the old and new versions and classify the bump:

Bump Type	Risk Level	Criteria
Patch (x.x.OLD → x.x.NEW)	Low	Only the patch segment changed
Minor (x.OLD.x → x.NEW.x)	Medium	The minor segment changed
Major (OLD.x.x → NEW.x.x)	High	The major segment changed

2b. Check CI / Check Status

Use mcp__github__get_pull_request_status to retrieve the CI check status for each PR. A PR is considered CI-passing only if all checks have concluded with a success state.

2c. Inspect the Diff

Use mcp__github__get_pull_request_files to review the files changed. Flag any PR that modifies unexpected files beyond dependency manifests (go.mod, go.sum, package.json, yarn.lock, Dockerfile*, .github/workflows/*).

2d. Identify Dependency Scope

• Development-only (test frameworks, linters, dev tools) → Lower risk
• Production (runtime dependencies) → Higher risk
• GitHub Actions (workflow dependencies) → Typically low risk for minor/patch bumps

2e. Final Risk Matrix

Version Bump	CI Passing	Only Manifest Files	Final Risk	Action
Patch	Yes	Yes	Low	Auto-approve and merge
Patch	No	Yes	Medium	Approve but do not merge
Minor	Yes	Yes	Medium	Auto-approve and merge
Minor	Yes	No	High	Do not approve
Minor	No	*	High	Do not approve
Major	*	*	High	Do not approve

GitHub Actions patch and minor bumps with passing CI → Low risk.

Step 3: Approve Eligible PRs

Use mcp__github__create_pull_request_review with event: APPROVE for eligible PRs.

Step 4: Merge Approved PRs

Use mcp__github__merge_pull_request with merge_method: squash. If the merge fails, note the failure and continue.

Step 5: Report Results

After processing all PRs, produce a summary table showing merged, approved-pending, flagged, and errored PRs.

Important Notes

• Never force-merge.
• Respect branch protection rules.
• Go module PRs may need go mod tidy after merge.
• Process oldest-first to avoid dependency tree conflicts.
• Security-labeled PRs should be prioritized; treat security patch/minor bumps as Low risk if CI passes.