Dependabot Support | GitHub Agentic Workflows

The gh aw compile --dependabot command scans workflows for runtime tools (npx, pip install, go install), generates dependency manifests (package.json, requirements.txt, go.mod), and configures Dependabot to monitor for updates

Run gh aw compile --dependabot to compile all workflows and generate manifests in .github/workflows/.

Prerequisites: Node.js/npm required for package-lock.json generation. Pip and Go manifests generate without additional tools.

Ecosystem	Manifest	Lock File
npm	`package.json`	`package-lock.json` (via `npm install --package-lock-only`)
pip	`requirements.txt`	-
Go	`go.mod`	-

All ecosystems update .github/dependabot.yml with weekly update schedules. Existing configurations are preserved; only missing ecosystems are added.

Handling Dependabot PRs

Section titled “Handling Dependabot PRs”

Correct workflow: Update source .md files, then recompile to regenerate manifests.

# Find affected workflows
grep -r "@playwright/test@1.41.0" .github/workflows/*.md
# Edit workflow .md files (change version)
# npx @playwright/test@1.41.0 → npx @playwright/test@1.42.0
# Regenerate manifests
gh aw compile --dependabot
# Commit (Dependabot auto-closes its PR)
git add .github/workflows/
git commit -m "chore: update @playwright/test to 1.42.0"
git push

Handling Transitive Dependencies (MCP Servers)

Section titled “Handling Transitive Dependencies (MCP Servers)”

When Dependabot flags transitive dependencies (e.g., @modelcontextprotocol/sdk, hono from @sentry/mcp-server), update the shared MCP configuration instead:

# Locate the shared MCP config (e.g., .github/workflows/shared/mcp/sentry.md)
# Update the version in the args array:
# args: ["@sentry/mcp-server@0.27.0"] → args: ["@sentry/mcp-server@0.29.0"]
# Regenerate manifests
gh aw compile --dependabot
# Regenerate package-lock.json to pick up transitive dependency updates
cd .github/workflows && npm install --package-lock-only
# Commit changes
git add .github/workflows/
git commit -m "chore: update @sentry/mcp-server to 0.29.0"
git push

Why? The compiler generates package.json from MCP server configurations in workflow files. Directly editing package.json will be overwritten on next compilation.

AI Agent Prompt Template

Section titled “AI Agent Prompt Template”

A Dependabot PR updated dependencies in .github/workflows/.
Fix workflow:
1. Identify which .md files reference the outdated dependency
2. Update versions in workflow files
3. Run `gh aw compile --dependabot` to regenerate manifests
4. Verify manifests match the Dependabot PR
5. Commit and push (Dependabot auto-closes)
Affected PR: [link]
Updated dependency: [name@version]

Issue	Solution
package-lock.json not created	Install Node.js/npm from nodejs.org
Dependency not detected	Avoid shell variables (`${TOOL}`); use literal package names
Dependabot not opening PRs	Verify `.github/dependabot.yml` is valid YAML and manifest files exist

CLI Commands - Complete compile command reference
Compilation Process - How compilation works
GitHub Dependabot Docs - Official Dependabot guide