Automated dependency update PRs
Automated dependency updates have become mainstream, especially on GitHub via Dependabot. Depending on your repo and settings, you could be getting a constant flow of automated pull requests and be considering different approaches to reviewing and merging them.
![Dependabot pull request for code review](../img/CleanShot 2022-12-08 at email@example.com)
Dedicating a review team
If you want to dedicate a team to reviewing dependency PRs, there are a few different ways you can write team conditions to achieve it.
- Match the PR author:
pull.author == dependabot[bot]
- Match the labels:
"dependencies" in pull.labels
- Match the files:
"package.json" in pull.files or "yarn.lock" in pull.files
Each have their advantages, depending on whether you also want to match PRs that regular team members create that happen update dependencies too.
In some cases you may want to skip code review on these PRs. To do this, you'll probably want to write a phase condition as an easy way to skip all review teams at once. Using similar rules to the examples above, add a condition to your review phase:
![Code review rule to skip pull request review if authored by Dependabot](../img/CleanShot 2022-12-08 at firstname.lastname@example.org)
Note that you can use a very similar workflow for other automated dependency tools like Renovate or Deps.