Bulk-process open dependabot PRs: audit each dependency, comment findings, merge if CI green, request rebase on conflicts or CI failures. Use to merge dependabot PRs, process dependency bumps, auto-merge bot PRs, or handle dependabot backlog.
Audit, comment, and merge open dependabot PRs in a repository. Each PR gets a security review via the review-dependency skill, a comment with findings, and — if safe — a squash merge.
Argument: $ARGUMENTS — optional filter (e.g., golang, docker, npm). If empty, process all open dependabot PRs.
ghsudo installed for write operations (pip install ghsudo)mcp__plugin_claudius_github__*)review-dependency skill availableSearch for open PRs authored by app/dependabot:
gh pr list --repo <owner>/<repo> --author 'app/dependabot' \
--json number,title,statusCheckRollup,mergeable --limit 50
Extract for each PR: number, title, CI status (which checks passed/failed), and mergeable state.
If $ARGUMENTS is set, filter PRs whose title contains the filter string.
Before spawning worktree agents:
git log @{upstream}..HEAD --oneline
If unpushed commits exist, alert the user and stop. Worktree agents fork from the remote state — unpushed local commits will be missing. If no upstream is configured, use git log origin/$(git branch --show-current)..HEAD as fallback.
Sort PRs into three groups:
| Group | Condition | Action |
|---|---|---|
| Green | All CI checks passed + MERGEABLE | Audit, Comment, Merge |
| Red | CI failures + MERGEABLE | Audit, Comment, @dependabot rebase |
| Conflicting | CONFLICTING mergeable state | Comment conflict notice, @dependabot rebase |
Present the classification table to the user and ask for confirmation before proceeding.
For each PR, spawn a background agent in an isolated worktree:
Agent(
isolation: "worktree",
mode: "bypassPermissions",
run_in_background: true
)
Agent prompt must include ALL of:
<owner>/<repo>review-dependency skill with the PR number as argumentmcp__plugin_claudius_github__add_issue_comment (include attribution footer)ghsudo gh pr merge <number> --repo <owner>/<repo> --squash@dependabot rebase comment, then enter Rebase Watch Loop (step 5a)Spawn all agents in a single message for maximum parallelism.
As agents complete, check their results. Agents may be blocked from GitHub write operations by hooks. For blocked agents:
After posting @dependabot rebase, poll until the rebase lands and CI completes (or timeout).
gh pr view --repo <owner>/<repo> <number> --json headRefOid,statusCheckRollup,mergeable
| Condition | Action |
|---|---|
headRefOid changed + all checks SUCCESS + mergeable == MERGEABLE | Squash merge via ghsudo gh pr merge |
headRefOid changed + any check FAILURE | Report as CI Red after rebase — do NOT re-rebase |
| 15 min elapsed, HEAD unchanged | Report as Rebase Timeout |
| Merge attempt fails (race, new conflict) | Report as Merge Failed after rebase |
On successful merge, report as Merged after rebase.
After earlier PRs merge, later PRs may become unmergeable (conflicting go.sum, lock files, etc.). When a merge fails with "not mergeable":
@dependabot rebase on the PRPresent a summary table:
| PR | Dependency | Audit | Action | Result |
|---|---|---|---|---|
| #NNN | pkg old->new | Safe/Risk | Merged/Rebase/Skipped | OK/MERGED_AFTER_REBASE/CI_RED/TIMEOUT/MERGE_FAILED/WARN |
Include:
After completing all PRs, invoke claudius:lessons-learned skill if notable patterns emerged (flaky tests blocking merges, recurring merge conflicts, security concerns).
Every GitHub comment MUST end with:
<sub>🤖 Co-authored by [Claudius the Magnificent](https://github.com/lklimek/claudius) AI Agent</sub>
ghsudo for all write operations (merge, comment) when gh alone fails with 403/404ghsudo exits with code 2 (user denied), skip that PR and move onghsudo exits with code 4 (no token), inform user to run ghsudo --setup <org>