Prepare Security PRs
Overview
Triage and prepare automated dependency PRs for merge with minimal risk:
- •identify dependency bot PRs that actually need intervention
- •resolve comments/check failures only when needed
- •refresh stale branches safely
- •detect superseded PRs
- •keep diffs minimal and dependency-focused
Inputs
- •
owner/repo - •
bot_filters(optional list, example:dependabot[bot],renovate[bot],snyk-bot) - •
stale_threshold(default:behind_by > 50) - •
test_depth(none,targeted,full; default:targeted) - •
allow_branch_rewrite(true/false, default:false)
Safety rules
- •Only touch PRs that are clearly dependency-update PRs.
- •Never introduce unrelated code changes.
- •Prefer the smallest possible diff (manifest + lockfile only when possible).
- •Never force-push unless branch cleanup is explicitly enabled.
- •If force-push is needed, use
--force-with-leaseonly. - •If a PR is superseded by base branch versions, recommend closing.
- •If uncertain, report and ask before risky actions.
How to identify dependency bot PRs
Use one or more signals:
- •PR author matches configured bot account.
- •PR title matches common patterns:
Bump,Upgrade,Security update. - •Labels include dependency/security labels.
- •Files changed are mostly dependency manifests/lockfiles.
Workflow
- •Discover candidate PRs
bash
gh pr list --repo <owner/repo> --state open --limit 200 --json number,title,url,author,labels,headRefName,baseRefName,updatedAt,mergeable,mergeStateStatus,reviewDecision
- •Filter to dependency-update PRs
- •Keep PRs that match identification signals.
- •Exclude feature/fix PRs.
- •Gather health signals per PR
- •CI checks status
- •Actionable review comments
- •Ahead/behind vs base
- •Net diff scope (dependency-only or not)
- •Whether update is already superseded in base
- •Classify each PR
- •
ready: mergeable, no actionable feedback, checks green/pending - •
needs_fix: failing checks, review-requested fixes, bad constraints, missing lockfile - •
stale: highbehind_byor frequent base conflicts - •
superseded: base already has same/newer secure version - •
noisy_history: huge PR UI but tiny net merge diff
- •Act only where needed
- •For
needs_fix: apply minimal fix, update lockfile conservatively, run tests, push, comment. - •For
stale: refresh from base, verify diff remains dependency-only, push, comment. - •For
superseded: do not patch; comment recommendation to close. - •For
noisy_history: if rewrite is allowed, rebuild branch from current base with only intended dependency patch, create one clean commit, force-push with lease, comment.
- •Validation strategy
- •Use repo-appropriate commands.
- •Prefer targeted tests first for upgraded package impact.
- •Run full suite only when requested or risk is high.
- •Include command and result summary in PR note.
- •Final report format For each dependency PR, return:
- •PR number and URL
- •classification
- •action taken (or no action)
- •commit SHA (if updated)
- •mergeability/check state
- •recommendation: merge, wait for CI, close superseded, or manual review
Heuristics (defaults)
- •stale if
behind_by > 50 - •mildly behind (
<= 25) is usually acceptable unless checks/reviews fail - •superseded if base already includes the same/newer target dependency version
Definition of done
- •only necessary dependency PRs were modified
- •each modified PR has a clear update comment
- •no unrelated files were changed
- •final summary gives merge-ready guidance PR-by-PR