Automating dependabot reviews how AI cut dependency research time (johnjames.blog)

A dev team automated the repetitive research phase for Dependabot pull requests by running an AI reviewer (Copilot CLI) inside GitHub Actions with access to the checked-out repo. Instead of manually grepping changelogs, usage, and risk questions for ~100 outdated deps, the workflow runs an instruction file that asks the AI to answer a fixed refinement checklist (usage count across the monorepo, release-note highlights, test needs, breaking changes/codemods, etc.), include “receipts” for its findings, and output a review.md comment. Key technical details: the job checks out the repo, runs Copilot CLI (Node.js 22+), grants read-only repo access, allows search tools (grep/find/curl) but denies write and git push, and uses a fine-grained Copilot PAT. The author even configured tool allow/deny flags and used a model flag in the CLI to constrain behavior. This automated step cut research time by ~95%, averaging ~2 minutes per review and consuming one Copilot premium request per PR, so it scales well across monorepos and can be centralized in an internal Actions repo. The team validated security with AppSec—ephemeral runners, read-only permissions, no secrets exfiltration, and no disk writes—so humans remain responsible for judgment while AI handles data gathering. The result: faster, consistent dependency triage and fewer manual context-switches, enabling teams to spend time making risk-aware decisions instead of hunting for facts.