Automated review and management of dependabot PRs. Runs as a background cron worker that scans a GitHub repo's open dependabot PRs, triages each one using Claude, and either posts a recommendation to merge (if CI is passing and no code changes are needed) or drives an implementation agent to fix code breakage and open a replacement PR.
The tool emulates a competent human reviewer: it fixes things it is confident about, explains things it isn't, and stays silent when it has nothing useful to add. The net effect is less human attention required, not more. It always proposes — a human makes the final call; the tool never submits a native GitHub approval.
A read-only prototype dashboard is deployed at http://146.148.23.195:8080 (HTTP only; the address may change, and HTTPS is not yet configured). It shows live triage state for the repo the worker is currently scanning.
- Go 1.22+
- Node 22+ (to build the embedded dashboard SPA)
ghCLI authenticated (gh auth login)- Claude Code CLI (
claude) — used to drive the implementation agent
The web dashboard is a Svelte SPA embedded into the binary via //go:embed all:ui/dist,
so the SPA must be built before the Go binary:
# 1. Build the dashboard SPA (produces internal/web/ui/dist)
npm --prefix internal/web/ui ci
npm --prefix internal/web/ui run build
# 2. Build the binary
go build -o dependabot-sweeper ./cmd/dependabot-sweeperui/dist is a build artifact and is not committed; CI and the Docker image build it from
source. After the first SPA build, go build/go test work directly until the SPA changes.
Set the following environment variables (or a .env file):
| Variable | Description |
|---|---|
ANTHROPIC_API_KEY |
Anthropic API key for the analyser and reviewer |
DEPENDABOT_REVIEWER_TOKEN |
GitHub PAT with repo scope — used to post reviews and open PRs |
Scans all open dependabot PRs on an interval, writes state to a SQLite database:
dependabot-sweeper worker \
--repos owner/repo \
--db /var/lib/sweeper/sweeper.db \
--interval 30mRead-only API and embedded SPA served from the same database:
dependabot-sweeper web \
--db /var/lib/sweeper/sweeper.db \
--listen-addr :8080Open http://localhost:8080 to see the live dashboard.
Review a single PR without the cron loop:
dependabot-sweeper review --repos owner/repo --pr 42| Flag | Default | Description |
|---|---|---|
--repos |
(required) | GitHub owner/repo to scan |
--db |
sweeper.db |
SQLite database path |
--interval |
30m |
Scan interval (worker only) |
--listen-addr |
:8080 |
HTTP listen address (web only) |
--dry-run |
off | Skip all GitHub writes and LLM calls |
--pr |
(all) | Process only this PR number |
--concurrency |
20 | Max concurrent PRs |
--accept-author |
dependabot[bot], renovate[bot] |
Additional PR authors to process |
--analyser-model |
claude-sonnet-4-6 |
Claude model for the analyser |
--impl-model |
Claude Code default | Claude model for the implementation agent |
--max-impl-budget |
$50 | Per-PR spend cap for the implementation agent |
--ignore-check |
(none) | CI check names to treat as non-blocking (repeatable) |