Automated dependency management with security-first batch processing
Dependabot Secure Flow is a GitHub Action that automatically manages dependency updates through a secure, batched workflow. Instead of merging Dependabot PRs directly to main, this action:
- β
Auto-merges Dependabot PRs into a
securitebranch - π§ͺ Validates builds and tests
- π¦ Batches multiple updates together
- π Auto-generates changelog entries
- π Creates a single PR to
mainfor review
- Security-First: All updates are validated before reaching
main - Batch Processing: Multiple dependency updates are grouped together
- Auto-Correction: Failed builds automatically close problematic PRs
- Changelog Automation: Automatic timestamp and changelog updates
- Zero Configuration: Works out of the box with sensible defaults
Create .github/workflows/dependabot-secure-flow.yml:
name: Dependabot Secure Flow
on:
pull_request:
types: [opened, synchronize]
paths:
- 'package.json'
- 'package-lock.json'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
issues: write
jobs:
auto-merge-to-securite:
uses: EthanThePhoenix38/dependabot-secure-flow/.github/workflows/dependabot-secure-flow.yml@main
secrets: inheritCreate .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10{
"scripts": {
"build": "echo 'Build step' && exit 0",
"test": "echo 'Test step' && exit 0"
}
}graph LR
A[Dependabot PR] --> B{Build Valid?}
B -->|Yes| C[Merge to securite]
B -->|No| D[Close PR]
C --> E[Batch with others]
E --> F[Create PR to main]
F --> G[Manual Review]
G --> H[Merge to main]
- Dependabot creates a PR with dependency updates
- Workflow validates the build (
npm install && npm run build) - Auto-merge to
securiteif validation passes - Close PR if validation fails (with label
skipped-vulnerability) - Batch updates accumulate in the
securitebranch - Create PR to
mainfor final review - Update documentation (README timestamp, CHANGELOG)
- Node.js project with
package.json npm run buildscript (can be a no-op:echo 'No build')- GitHub repository with Dependabot enabled
You can override default behavior by modifying the workflow file:
jobs:
check-interdependencies:
steps:
- name: Auto-Correction & Validation
run: |
npm install --prefer-offline --no-audit
npm run build
npm test # Add your test commandmain: Production-ready codesecurite: Staging area for dependency updatesdependabot/*: Temporary branches (auto-deleted after merge)
This action follows security best practices:
- β No external dependencies (uses only GitHub Actions)
- β Validates all updates before merging
- β Auto-closes PRs that fail validation
- β
Requires manual review before reaching
main
When the workflow runs successfully:
β
Merged into securite branch for batch processing.
π Updated CHANGELOG.md with timestamp
π Created PR #42: chore: dependency updates batch
| Input | Description | Required | Default |
|---|---|---|---|
github-token |
Token to manage PRs (GITHUB_TOKEN) | Yes | N/A |
node-version |
Node versions to use | No | 20 |
test-command |
Command to run for validation | No | npm install && npm run build |
Contributions are welcome! This action is maintained in the AI-Pulse repository and automatically synced here.
MIT License - see LICENSE for details
If this action helps secure your projects, support the development:
Your support helps fund the server and AI development! In exchange, I will add a link to your GitHub profile in the Contributors section.
You can also :
- β Star this repository
- π Report issues to help improve it
- π Fork it to customize for your needs
- π Report issues to help improve it
https://thephoenixagency.github.io
Made with β€οΈ by ThePhoenixAgency
