generated from coulomb/repo-seed
1.0 KiB
1.0 KiB
Pattern: Dependency Update Bot
Status: seed Readiness target: RL2 private beta Primary owners: product repos Genesis family: Supply chain
Problem
Dependency updates become stale, risky, and manual when there is no repeatable intake and test path.
Context
Use this pattern for application dependencies, container base images, GitHub Actions, Helm charts, Terraform providers, and platform tools.
Forces
- Automated updates reduce known-vulnerability exposure.
- Update noise can overwhelm reviewers.
- Security updates need prioritization.
- Tests must catch compatibility breakage.
Solution
Use automated dependency update pull requests with grouping rules, security prioritization, test gates, review ownership, and release notes.
Verification
- Dependency inventory is covered by update automation.
- Security updates are surfaced with priority.
- Update PRs run relevant tests.
- Deferred updates have owner and reason.
Related Patterns
- Protected Main Branch.
- SBOM-per-Release.
- Quarantined Build Runner.
- Supply-Chain Provenance.