Skip to content

Dependency Management

Use dependency automation to keep workflow actions, containers, language packages, and IaC dependencies moving without turning every update into manual inventory work.

Forge does not require one tool. Pick the smallest tool that covers the repo.


Choose a Tool

Need Use Notes
GitHub-native security and version updates Dependabot Best first step for one repository.
GitHub Actions, Docker, Python, Terraform basics Dependabot Works with simple repo-local config.
Grouped updates, custom schedules, or many repos Renovate Better for platform teams and multi-repo ownership.
AMI, custom regex, HCL, or private registry logic Renovate Needs explicit config and usually a bot token.
Centralized dependency policy across many repos Renovate shared config Keep common rules in one config repo.

Do not let Dependabot and Renovate update the same dependency family in the same repository unless you intentionally split ownership.


Dependabot Starter

Create .github/dependabot.yml:

---
version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    groups:
      github-actions:
        patterns:
          - '*'
    labels:
      - dependencies
      - github-actions

  - package-ecosystem: docker
    directory: /
    schedule:
      interval: weekly
    groups:
      docker:
        patterns:
          - '*'
    labels:
      - dependencies
      - docker

  - package-ecosystem: pip
    directory: /
    schedule:
      interval: weekly
    groups:
      python:
        patterns:
          - '*'
    labels:
      - dependencies
      - python

  - package-ecosystem: terraform
    directory: /
    schedule:
      interval: weekly
    groups:
      terraform:
        patterns:
          - '*'
    labels:
      - dependencies
      - terraform

Remove ecosystems that do not exist in the repo. For monorepos, add one entry per directory that contains dependency files.


Renovate Starter

Use Renovate when you need more control than Dependabot gives you.

Create renovate.json:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended",
    ":semanticCommits",
    ":semanticCommitScope(deps)",
    ":rebaseStalePrs"
  ],
  "dependencyDashboard": true,
  "labels": [
    "dependencies"
  ],
  "prHourlyLimit": 2,
  "schedule": [
    "before 5am on monday"
  ],
  "packageRules": [
    {
      "matchManagers": [
        "github-actions"
      ],
      "groupName": "github actions"
    },
    {
      "matchManagers": [
        "dockerfile",
        "docker-compose"
      ],
      "groupName": "container images"
    },
    {
      "matchManagers": [
        "terraform",
        "terragrunt"
      ],
      "groupName": "terraform and opentofu"
    }
  ]
}

Then add the Forge-runner workflow from Renovate Workflow Setup.


Required Review Gates

Use at least these checks before merging dependency PRs:

Change type Check
GitHub Actions Workflow lint or repository action policy check.
Terraform/OpenTofu/Terragrunt fmt, validate, policy scan, and plan.
Docker or runner image changes Build, scan, and smoke test.
Python or application packages Unit tests and dependency vulnerability scan.
Renovate config changes JSON validation and a Renovate dry run.

For pull requests, the dependency review workflow is a useful backstop:

---
name: Dependency Review

on:
  pull_request:
    branches:
      - main

permissions: {}

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - uses: actions/dependency-review-action@v5
        with:
          comment-summary-in-pr: always

Pin action refs to approved SHAs when your repository policy requires it.


Operating Rules

  • Keep update PRs small enough to review.
  • Separate major upgrades from routine patch and minor updates.
  • Disable automerge until the repo has reliable tests and rollback.
  • Route dependency PRs to owners who understand the stack.
  • For IaC repos, never merge a dependency PR without a plan against the target environment.

Use Renovate Strategy when deciding between a central config and repo-local config.