From 3d0356f4c3a65f29b6f5d86b76f523526ce4f425 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Mar 2026 14:01:50 +0000
Subject: [PATCH 1/3] Initial plan


From fc0f1897593b0544f337fc228cf008f2b1407786 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Mar 2026 14:09:26 +0000
Subject: [PATCH 2/3] Support updatecli in gh-aw-dependency-review workflow

Co-authored-by: v1v <2871786+v1v@users.noreply.github.com>
---
 .github/workflows/gh-aw-dependency-review.md     | 4 ++--
 .github/workflows/trigger-dependency-review.yml  | 3 ++-
 docs/workflows/gh-agent-workflows.md             | 2 +-
 gh-agent-workflows/dependency-review/README.md   | 6 +++---
 gh-agent-workflows/dependency-review/example.yml | 3 ++-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/gh-aw-dependency-review.md b/.github/workflows/gh-aw-dependency-review.md
index 53063172..6d9ae3a9 100644
--- a/.github/workflows/gh-aw-dependency-review.md
+++ b/.github/workflows/gh-aw-dependency-review.md
@@ -1,7 +1,7 @@
 ---
 inlined-imports: true
 name: "Dependency Review"
-description: "Analyze Dependabot and Renovate dependency update PRs"
+description: "Analyze Dependabot, Renovate, and Updatecli dependency update PRs"
 imports:
   - gh-aw-fragments/elastic-tools.md
   - gh-aw-fragments/runtime-setup.md
@@ -84,7 +84,7 @@ steps:
 
 # Dependency Review Agent
 
-Analyze dependency update pull requests (Dependabot, Renovate) in ${{ github.repository }}. Provide a detailed analysis comment covering changelog highlights, compatibility, risk, and ecosystem-specific checks.
+Analyze dependency update pull requests (Dependabot, Renovate, Updatecli) in ${{ github.repository }}. Provide a detailed analysis comment covering changelog highlights, compatibility, risk, and ecosystem-specific checks.
 
 ## Context
 
diff --git a/.github/workflows/trigger-dependency-review.yml b/.github/workflows/trigger-dependency-review.yml
index eaa740f4..d7d99405 100644
--- a/.github/workflows/trigger-dependency-review.yml
+++ b/.github/workflows/trigger-dependency-review.yml
@@ -15,7 +15,8 @@ jobs:
   run:
     if: >-
       github.event.pull_request.user.login == 'dependabot[bot]' ||
-      github.event.pull_request.user.login == 'renovate[bot]'
+      github.event.pull_request.user.login == 'renovate[bot]' ||
+      startsWith(github.head_ref, 'updatecli')
     uses: ./.github/workflows/gh-aw-dependency-review.lock.yml
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
diff --git a/docs/workflows/gh-agent-workflows.md b/docs/workflows/gh-agent-workflows.md
index 3821bdeb..06b492c4 100644
--- a/docs/workflows/gh-agent-workflows.md
+++ b/docs/workflows/gh-agent-workflows.md
@@ -54,7 +54,7 @@ These pair together: a Scheduled Audit finds problems, a Scheduled Fix resolves
 
 | Workflow | Trigger | Description |
 | --- | --- | --- |
-| [Dependency Review](gh-agent-workflows/dependency-review.md) | Dependabot/Renovate PRs | Analyze dependency updates across ecosystems with changelog, compatibility, and risk checks |
+| [Dependency Review](gh-agent-workflows/dependency-review.md) | Dependabot/Renovate/Updatecli PRs | Analyze dependency updates across ecosystems with changelog, compatibility, and risk checks |
 | [Duplicate Issue Detector](gh-agent-workflows/duplicate-issue-detector.md) | New issues | Detect duplicate issues and comment with links |
 | [Issue Triage](gh-agent-workflows/issue-triage.md) | New issues | Investigate and provide implementation plans |
 | [Issue Fixer](gh-agent-workflows/issue-fixer.md) | New issues | Triage plus automatic draft PR for straightforward fixes |
diff --git a/gh-agent-workflows/dependency-review/README.md b/gh-agent-workflows/dependency-review/README.md
index 7d7b58f1..023bf112 100644
--- a/gh-agent-workflows/dependency-review/README.md
+++ b/gh-agent-workflows/dependency-review/README.md
@@ -1,10 +1,10 @@
 # Dependency Review
 
-Analyze Dependabot and Renovate dependency update PRs.
+Analyze Dependabot, Renovate, and Updatecli dependency update PRs.
 
 ## How it works
 
-Triggered when Dependabot or Renovate opens or updates a PR. Classifies each dependency by ecosystem (GitHub Actions, Go, npm, Python, Java, Buildkite, etc.), runs shared checks (changelog, usage analysis, compatibility, testability), and applies ecosystem-specific checks where relevant. Posts a structured analysis comment and optionally labels the PR `needs-human-review` or `higher-risk`.
+Triggered when Dependabot, Renovate, or Updatecli opens or updates a PR. Classifies each dependency by ecosystem (GitHub Actions, Go, npm, Python, Java, Buildkite, etc.), runs shared checks (changelog, usage analysis, compatibility, testability), and applies ecosystem-specific checks where relevant. Posts a structured analysis comment and optionally labels the PR `needs-human-review` or `higher-risk`.
 
 ## Quick Install
 
@@ -20,7 +20,7 @@ See [example.yml](example.yml) for the full workflow file.
 
 | Event | Types | Condition |
 | --- | --- | --- |
-| `pull_request` | `opened`, `synchronize`, `reopened` | PR author is `dependabot[bot]` or `renovate[bot]` |
+| `pull_request` | `opened`, `synchronize`, `reopened` | PR author is `dependabot[bot]` or `renovate[bot]`, or branch name starts with `updatecli` |
 
 ## Inputs
 
diff --git a/gh-agent-workflows/dependency-review/example.yml b/gh-agent-workflows/dependency-review/example.yml
index 74bb07a3..f0f46f53 100644
--- a/gh-agent-workflows/dependency-review/example.yml
+++ b/gh-agent-workflows/dependency-review/example.yml
@@ -13,7 +13,8 @@ jobs:
   run:
     if: >-
       github.event.pull_request.user.login == 'dependabot[bot]' ||
-      github.event.pull_request.user.login == 'renovate[bot]'
+      github.event.pull_request.user.login == 'renovate[bot]' ||
+      startsWith(github.head_ref, 'updatecli')
     uses: elastic/ai-github-actions/.github/workflows/gh-aw-dependency-review.lock.yml@v0
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}

From 77ba3f029cb4d4614ed9df1de7440b7ed713c963 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 2 Mar 2026 17:11:45 +0000
Subject: [PATCH 3/3] Add allowed-bot-users guidance for updatecli in
 example.yml and README

Co-authored-by: strawgate <6384545+strawgate@users.noreply.github.com>
---
 .github/workflows/trigger-dependency-review.yml  | 3 +++
 gh-agent-workflows/dependency-review/README.md   | 2 +-
 gh-agent-workflows/dependency-review/example.yml | 3 +++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/trigger-dependency-review.yml b/.github/workflows/trigger-dependency-review.yml
index d7d99405..1d3ef754 100644
--- a/.github/workflows/trigger-dependency-review.yml
+++ b/.github/workflows/trigger-dependency-review.yml
@@ -18,5 +18,8 @@ jobs:
       github.event.pull_request.user.login == 'renovate[bot]' ||
       startsWith(github.head_ref, 'updatecli')
     uses: ./.github/workflows/gh-aw-dependency-review.lock.yml
+    # For updatecli: uncomment and set your repo's updatecli bot actor (it varies per repo).
+    # with:
+    #   allowed-bot-users: "github-actions[bot]"
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
diff --git a/gh-agent-workflows/dependency-review/README.md b/gh-agent-workflows/dependency-review/README.md
index 023bf112..9708ee72 100644
--- a/gh-agent-workflows/dependency-review/README.md
+++ b/gh-agent-workflows/dependency-review/README.md
@@ -28,7 +28,7 @@ See [example.yml](example.yml) for the full workflow file.
 | --- | --- | --- | --- |
 | `additional-instructions` | Repo-specific instructions appended to the agent prompt | No | `""` |
 | `setup-commands` | Shell commands run before the agent starts | No | `""` |
-| `allowed-bot-users` | Allowlisted bot actor usernames (comma-separated) | No | `github-actions[bot]` |
+| `allowed-bot-users` | Allowlisted bot actor usernames (comma-separated). For Updatecli, add your repo's updatecli bot actor here (e.g. `github-actions[bot]` or a custom app bot). | No | `github-actions[bot]` |
 
 ## Safe Outputs
 
diff --git a/gh-agent-workflows/dependency-review/example.yml b/gh-agent-workflows/dependency-review/example.yml
index f0f46f53..3978c01a 100644
--- a/gh-agent-workflows/dependency-review/example.yml
+++ b/gh-agent-workflows/dependency-review/example.yml
@@ -16,5 +16,8 @@ jobs:
       github.event.pull_request.user.login == 'renovate[bot]' ||
       startsWith(github.head_ref, 'updatecli')
     uses: elastic/ai-github-actions/.github/workflows/gh-aw-dependency-review.lock.yml@v0
+    # For updatecli: uncomment and set your repo's updatecli bot actor (it varies per repo).
+    # with:
+    #   allowed-bot-users: "github-actions[bot]"
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}