Skip to content

Auto-analyze dependency-update PRs with Claude#6926

Merged
AmitPhulera merged 3 commits into
masterfrom
ap/claude-dependabot-review
Jun 26, 2026
Merged

Auto-analyze dependency-update PRs with Claude#6926
AmitPhulera merged 3 commits into
masterfrom
ap/claude-dependabot-review

Conversation

@AmitPhulera

Copy link
Copy Markdown
Contributor
Environments Affected

None

Summary

Adds a GitHub Actions workflow that runs a Claude analysis on dependency-update PRs and posts a single review comment summarizing changelogs, breaking changes, migration notes, and likely codebase impact under src/commcare_cloud/.

This mirrors the equivalent workflow in commcare-hq, adapted to commcare-cloud's stack (uv for Python, plus the github-actions ecosystem; no JS).

How it triggers

  • Automatically on any PR opened by dependabot[bot] (including the security-update PRs we already receive).
  • Manually from the Actions tab via workflow_dispatch, passing a PR number — so we can run it on hand-written dependency-upgrade PRs too.

No dependabot.yml is added: this only consumes existing Dependabot PRs and manual triggers, and does not change our dependency-update policy.

Requirements

The ANTHROPIC_API_KEY repo secret must be configured for the workflow to run.

🤖 Generated with Claude Code

Runs a Claude analysis on dependency-update PRs (Dependabot or
manually triggered) that posts a single comment summarizing
changelogs, breaking changes, and codebase impact for the team.
Covers the uv (Python) and github-actions ecosystems.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@AmitPhulera AmitPhulera requested review from gherceg and millerdev June 26, 2026 14:17
@AmitPhulera AmitPhulera marked this pull request as ready for review June 26, 2026 14:17
Comment thread .github/workflows/claude-dependabot.yml Outdated

on:
pull_request:
types: [opened, synchronize]

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the rationale for having synchronize here? I know we have this set in hq as well, but same question probably applies for me there. Dependabot opens a new PR if a new version is released, and I don't think we want Claude to do a full analysis if we push a commit to an existing PR to resolve a breaking change right? Or am I missing something here?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I thought earlier that it might be useful when we push fixup commits, but your point makes sense. Nothing major would probably change in the commits that we will make so a re-review would not make sense even if it does we can manually trigger it. Updating it.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment thread .github/workflows/claude-dependabot.yml Outdated
echo "ref=$REF" >> $GITHUB_OUTPUT

- name: Checkout code
uses: actions/checkout@v4

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the latest version of checkout is v7.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AmitPhulera AmitPhulera merged commit fbae956 into master Jun 26, 2026
7 checks passed
@AmitPhulera AmitPhulera deleted the ap/claude-dependabot-review branch June 26, 2026 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants