// Reviews open Dependabot pull requests, assesses their risk level based on version bump type and CI status, approves low-risk PRs, and merges them. Use when asked to process, review, merge, or triage Dependabot PRs.
Reviews vulnerability policy violations for the chainloop project recorded in Chainloop and performs fixes in Dockerfiles or go.mod. Use when asked to fix vulnerabilities, review CVEs, or remediate security issues in chainloop.
Upgrades Go version across the entire Chainloop codebase including source files, Docker images, CI/CD workflows, and documentation. Use when the user mentions upgrading Go, golang version, or updating Go compiler version.
Create a custom builtin function to be used in the Rego policy engine
Upgrades Helm chart dependencies (PostgreSQL, Vault) in the Chainloop project, including vendorized charts, container images, and CI/CD workflows. Use when the user mentions upgrading Helm charts, Bitnami dependencies, PostgreSQL chart, or Vault chart. CRITICAL - Major version upgrades are FORBIDDEN and must be escalated.
| name | dependabot-pr-automation |
| description | Reviews open Dependabot pull requests, assesses their risk level based on version bump type and CI status, approves low-risk PRs, and merges them. Use when asked to process, review, merge, or triage Dependabot PRs. |
| allowed-tools | ["Bash","Read","WebFetch","mcp__github__list_pull_requests","mcp__github__get_pull_request","mcp__github__get_pull_request_files","mcp__github__get_pull_request_status","mcp__github__create_pull_request_review","mcp__github__merge_pull_request"] |
This skill reviews open Dependabot pull requests, assesses their risk, approves safe ones, and merges them.
| Item | Value |
|---|---|
| Owner | chainloop-dev |
| Repo | chainloop |
Use mcp__github__list_pull_requests to fetch open PRs:
owner: chainloop-devrepo: chainloopstate: openFilter the results to only include PRs authored by dependabot[bot]. Collect each PR's number, title, head branch, and labels.
If there are no open Dependabot PRs, report that and stop.
For each Dependabot PR, determine the risk level using these criteria:
Dependabot PR titles follow the pattern: Bump <package> from <old-version> to <new-version>. Extract the old and new versions and classify the bump:
| Bump Type | Risk Level | Criteria |
|---|---|---|
| Patch (x.x.OLD → x.x.NEW) | Low | Only the patch segment changed |
| Minor (x.OLD.x → x.NEW.x) | Medium | The minor segment changed |
| Major (OLD.x.x → NEW.x.x) | High | The major segment changed |
Use mcp__github__get_pull_request_status to retrieve the CI check status for each PR. A PR is considered CI-passing only if all checks have concluded with a success state.
Use mcp__github__get_pull_request_files to review the files changed. Flag any PR that modifies unexpected files beyond dependency manifests (go.mod, go.sum, package.json, yarn.lock, Dockerfile*, .github/workflows/*).
| Version Bump | CI Passing | Only Manifest Files | Final Risk | Action |
|---|---|---|---|---|
| Patch | Yes | Yes | Low | Auto-approve and merge |
| Patch | No | Yes | Medium | Approve but do not merge |
| Minor | Yes | Yes | Medium | Auto-approve and merge |
| Minor | Yes | No | High | Do not approve |
| Minor | No | * | High | Do not approve |
| Major | * | * | High | Do not approve |
GitHub Actions patch and minor bumps with passing CI → Low risk.
Use mcp__github__create_pull_request_review with event: APPROVE for eligible PRs.
Use mcp__github__merge_pull_request with merge_method: squash. If the merge fails, note the failure and continue.
After processing all PRs, produce a summary table showing merged, approved-pending, flagged, and errored PRs.
go mod tidy after merge.