Stats
Actions
Tags
From claudius
Bulk-process open dependabot PRs: audit each dependency, comment findings, merge if CI green, request rebase on conflicts or CI failures. Use to merge dependabot PRs, process dependency bumps, auto-merge bot PRs, or handle dependabot backlog.
How this skill is triggered — by the user, by Claude, or both
Slash command
/claudius:dependabot-mergeThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit, comment, and merge open dependabot PRs in a repository. Each PR gets a security review via the `review-dependency` skill, a comment with findings, and — if safe — a squash merge.
Audit, comment, and merge open dependabot PRs in a repository. Each PR gets a security review via the review-dependency skill, a comment with findings, and — if safe — a squash merge.
Argument: $ARGUMENTS — optional filter (e.g., golang, docker, npm). If empty, process all open dependabot PRs.
ghsudo installed for write operations (pip install ghsudo)mcp__plugin_claudius_github__*)review-dependency skill availableSearch for open PRs authored by app/dependabot:
gh pr list --repo <owner>/<repo> --author 'app/dependabot' \
--json number,title,statusCheckRollup,mergeable --limit 50
Extract for each PR: number, title, CI status (which checks passed/failed), and mergeable state.
If $ARGUMENTS is set, filter PRs whose title contains the filter string.
Before spawning worktree agents:
git log @{upstream}..HEAD --oneline
If unpushed commits exist, alert the user and stop. Worktree agents fork from the remote state — unpushed local commits will be missing. If no upstream is configured, use git log origin/$(git branch --show-current)..HEAD as fallback.
Sort PRs into three groups:
| Group | Condition | Action |
|---|---|---|
| Green | All CI checks passed + MERGEABLE | Audit, Comment, Merge |
| Red | CI failures + MERGEABLE | Audit, Comment, @dependabot rebase |
| Conflicting | CONFLICTING mergeable state | Comment conflict notice, @dependabot rebase |
Present the classification table to the user and ask for confirmation before proceeding.
For each PR, the coordinator pre-creates an isolated worktree (see grand-admiral § Worktree Isolation — the isolation flag is unreliable for run_in_background spawns) and spawns a background agent that cds into it as its FIRST action:
Agent(
mode: "bypassPermissions",
run_in_background: true,
prompt: "cd <pre-created worktree abs-path> first, then review the dependabot PR ..."
)
Set model per spawn: sonnet for routine version bumps; opus for crypto / auth / network / parser / deserialization libraries or unusually large diffs.
Agent prompt must include ALL of:
<owner>/<repo>review-dependency skill with the PR number as argumentmcp__plugin_claudius_github__add_issue_comment (include attribution footer)ghsudo gh pr merge <number> --repo <owner>/<repo> --squash@dependabot rebase comment, then enter Rebase Watch Loop (step 5a)Spawn all agents in a single message for maximum parallelism.
As agents complete, check their results. Agents may be blocked from GitHub write operations by hooks. For blocked agents:
After posting @dependabot rebase, poll until the rebase lands and CI completes (or timeout).
gh pr view --repo <owner>/<repo> <number> --json headRefOid,statusCheckRollup,mergeable
| Condition | Action |
|---|---|
headRefOid changed + all checks SUCCESS + mergeable == MERGEABLE | Squash merge via ghsudo gh pr merge |
headRefOid changed + any check FAILURE | Report as CI Red after rebase — do NOT re-rebase |
| 15 min elapsed, HEAD unchanged | Report as Rebase Timeout |
| Merge attempt fails (race, new conflict) | Report as Merge Failed after rebase |
On successful merge, report as Merged after rebase.
After earlier PRs merge, later PRs may become unmergeable (conflicting go.sum, lock files, etc.). When a merge fails with "not mergeable":
@dependabot rebase on the PRPresent a summary table:
| PR | Dependency | Audit | Action | Result |
|---|---|---|---|---|
| #NNN | pkg old->new | Safe/Risk | Merged/Rebase/Skipped | OK/MERGED_AFTER_REBASE/CI_RED/TIMEOUT/MERGE_FAILED/WARN |
Include:
After completing all PRs, invoke claudius:lessons-learned skill if notable patterns emerged (flaky tests blocking merges, recurring merge conflicts, security concerns).
Every GitHub comment MUST end with:
<sub>🤖 Co-authored by [Claudius the Magnificent](https://github.com/lklimek/claudius) AI Agent</sub>
ghsudo for all write operations (merge, comment) when gh alone fails with 403/404ghsudo exits with code 2 (user denied), skip that PR and move onghsudo exits with code 4 (no token), inform user to run ghsudo --setup <org>npx claudepluginhub lklimek/agents --plugin claudiusProvides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.