Auto-resolve Dependabot alerts

A workflow that bumps vulnerable packages, runs tests, and auto-merges the PR if CI passes.

This example uses workflow stages to structure the work: bump packages, open a PR, move the issue when [DONE] is received, and terminate when the PR merges. Requires a GitHub App with write access to the repo.

What it does

  • Watches acme/app for Dependabot security advisories
  • Triggers on issues with dependencies + security labels
  • Agent bumps the package, runs the test suite
  • Opens a PR and sends [DONE] with the PR URL
  • Watches CI and PR activity after [DONE]
  • If tests fail, CI failure messages are injected back to the agent for retry

Issue tracker

text
Settings -> Workspaces -> dependabot-workspace -> Issue Trackers
Add GitHub Issues:
  token: ${GITHUB_TOKEN}
  webhook secret: ${GITHUB_WEBHOOK_SECRET}

Workflow: dependabot-fix

yaml
# .elasticclaw/workflows/dependabot-fix.yaml
schema_version: v1
name: dependabot-fix

trigger:
  github_issues:
    event: issue_labeled
    repositories:
      - acme/app
    states:
      - open
    labels:
      - dependencies
      - security
tags: [dependabot, security]
color: orange

stages:
  - id: working
    label: "Working"
    entry: true
    on_enter:
      inject: |
        Read CONTEXT.md, update the vulnerable dependency, run the tests,
        open a PR, and send [DONE] https://github.com/org/repo/pull/N.

  - id: pr_opened
    label: "PR Opened"
    triggers:
      - message_contains: "[DONE]"
    on_enter:
      move_issue: "closed"
      inject: |
        PR recorded. Watch CI and review feedback.

  - id: merged
    label: "Merged"
    triggers:
      - pr_merged: {}
    terminal: true

Stage behavior

ElasticClaw Server records PR URLs from the [DONE] message and can inject CI or review feedback while the agent remains alive.

Workspace: dependabot-workspace

A lightweight workspace focused on dependency management and test validation.

yaml
# .elasticclaw/workspaces/dependabot-workspace/elasticclaw-config.yaml
name: dependabot-workspace
provider: daytona
llm_key: anthropic-prod
default_model: anthropic/claude-sonnet-4-6
repositories:
  - repo: acme/app
    permissions: write
tags: [dependabot, security]
color: orange
markdown
# .elasticclaw/workspaces/dependabot-workspace/AGENTS.md
You are a security patch agent. Read CONTEXT.md, bump the vulnerable
package to the minimum safe version, run the test suite, and open a PR.
Do not change unrelated code. Send [DONE] <pr-url> when the PR is ready.

Retry loop on failure

If CI fails after the agent sends [DONE], ElasticClaw Server:

  1. Injects the failed check output as a user message
  2. The agent sees the failure and can push a fix commit
  3. CI re-runs, ElasticClaw Server watches again
  4. Repeat until CI passes or the agent gives up

The PR watcher behavior is tied to the workflow PR lifecycle, not anelasticclaw-config.yaml field.