generated from coulomb/repo-seed
43 lines
1.0 KiB
Markdown
43 lines
1.0 KiB
Markdown
# Pattern: Dependency Update Bot
|
|
|
|
Status: seed
|
|
Readiness target: RL2 private beta
|
|
Primary owners: product repos
|
|
Genesis family: Supply chain
|
|
|
|
## Problem
|
|
|
|
Dependency updates become stale, risky, and manual when there is no
|
|
repeatable intake and test path.
|
|
|
|
## Context
|
|
|
|
Use this pattern for application dependencies, container base images,
|
|
GitHub Actions, Helm charts, Terraform providers, and platform tools.
|
|
|
|
## Forces
|
|
|
|
- Automated updates reduce known-vulnerability exposure.
|
|
- Update noise can overwhelm reviewers.
|
|
- Security updates need prioritization.
|
|
- Tests must catch compatibility breakage.
|
|
|
|
## Solution
|
|
|
|
Use automated dependency update pull requests with grouping rules,
|
|
security prioritization, test gates, review ownership, and release notes.
|
|
|
|
## Verification
|
|
|
|
- Dependency inventory is covered by update automation.
|
|
- Security updates are surfaced with priority.
|
|
- Update PRs run relevant tests.
|
|
- Deferred updates have owner and reason.
|
|
|
|
## Related Patterns
|
|
|
|
- Protected Main Branch.
|
|
- SBOM-per-Release.
|
|
- Quarantined Build Runner.
|
|
- Supply-Chain Provenance.
|