elastic · strawgate · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026
diff --git a/.github/workflows/gh-aw-dependency-review.md b/.github/workflows/gh-aw-dependency-review.md
@@ -1,7 +1,7 @@
 ---
 inlined-imports: true
 name: "Dependency Review"
-description: "Analyze Dependabot and Renovate dependency update PRs"
+description: "Analyze Dependabot, Renovate, and Updatecli dependency update PRs"
 imports:
   - gh-aw-fragments/elastic-tools.md
   - gh-aw-fragments/runtime-setup.md
@@ -84,7 +84,7 @@ steps:
 
 # Dependency Review Agent
 
-Analyze dependency update pull requests (Dependabot, Renovate) in ${{ github.repository }}. Provide a detailed analysis comment covering changelog highlights, compatibility, risk, and ecosystem-specific checks.
+Analyze dependency update pull requests (Dependabot, Renovate, Updatecli) in ${{ github.repository }}. Provide a detailed analysis comment covering changelog highlights, compatibility, risk, and ecosystem-specific checks.
 
 ## Context
 

diff --git a/.github/workflows/trigger-dependency-review.yml b/.github/workflows/trigger-dependency-review.yml
@@ -15,7 +15,11 @@ jobs:
   run:
     if: >-
       github.event.pull_request.user.login == 'dependabot[bot]' ||
-      github.event.pull_request.user.login == 'renovate[bot]'
+      github.event.pull_request.user.login == 'renovate[bot]' ||
+      startsWith(github.head_ref, 'updatecli')
     uses: ./.github/workflows/gh-aw-dependency-review.lock.yml
+    # For updatecli: uncomment and set your repo's updatecli bot actor (it varies per repo).
+    # with:
+    #   allowed-bot-users: "github-actions[bot]"
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
diff --git a/docs/workflows/gh-agent-workflows.md b/docs/workflows/gh-agent-workflows.md
@@ -54,7 +54,7 @@ These pair together: a Scheduled Audit finds problems, a Scheduled Fix resolves
 
 | Workflow | Trigger | Description |
 | --- | --- | --- |
-| [Dependency Review](gh-agent-workflows/dependency-review.md) | Dependabot/Renovate PRs | Analyze dependency updates across ecosystems with changelog, compatibility, and risk checks |
+| [Dependency Review](gh-agent-workflows/dependency-review.md) | Dependabot/Renovate/Updatecli PRs | Analyze dependency updates across ecosystems with changelog, compatibility, and risk checks |
 | [Duplicate Issue Detector](gh-agent-workflows/duplicate-issue-detector.md) | New issues | Detect duplicate issues and comment with links |
 | [Issue Triage](gh-agent-workflows/issue-triage.md) | New issues | Investigate and provide implementation plans |
 | [Issue Fixer](gh-agent-workflows/issue-fixer.md) | New issues | Triage plus automatic draft PR for straightforward fixes |

diff --git a/gh-agent-workflows/dependency-review/README.md b/gh-agent-workflows/dependency-review/README.md
@@ -1,10 +1,10 @@
 # Dependency Review
 
-Analyze Dependabot and Renovate dependency update PRs.
+Analyze Dependabot, Renovate, and Updatecli dependency update PRs.
 
 ## How it works
 
-Triggered when Dependabot or Renovate opens or updates a PR. Classifies each dependency by ecosystem (GitHub Actions, Go, npm, Python, Java, Buildkite, etc.), runs shared checks (changelog, usage analysis, compatibility, testability), and applies ecosystem-specific checks where relevant. Posts a structured analysis comment and optionally labels the PR `needs-human-review` or `higher-risk`.
+Triggered when Dependabot, Renovate, or Updatecli opens or updates a PR. Classifies each dependency by ecosystem (GitHub Actions, Go, npm, Python, Java, Buildkite, etc.), runs shared checks (changelog, usage analysis, compatibility, testability), and applies ecosystem-specific checks where relevant. Posts a structured analysis comment and optionally labels the PR `needs-human-review` or `higher-risk`.
 
 ## Quick Install
 
@@ -20,15 +20,15 @@ See [example.yml](example.yml) for the full workflow file.
 
 | Event | Types | Condition |
 | --- | --- | --- |
-| `pull_request` | `opened`, `synchronize`, `reopened` | PR author is `dependabot[bot]` or `renovate[bot]` |
+| `pull_request` | `opened`, `synchronize`, `reopened` | PR author is `dependabot[bot]` or `renovate[bot]`, or branch name starts with `updatecli` |
 
 ## Inputs
 
 | Input | Description | Required | Default |
 | --- | --- | --- | --- |
 | `additional-instructions` | Repo-specific instructions appended to the agent prompt | No | `""` |
 | `setup-commands` | Shell commands run before the agent starts | No | `""` |
-| `allowed-bot-users` | Allowlisted bot actor usernames (comma-separated) | No | `github-actions[bot]` |
+| `allowed-bot-users` | Allowlisted bot actor usernames (comma-separated). For Updatecli, add your repo's updatecli bot actor here (e.g. `github-actions[bot]` or a custom app bot). | No | `github-actions[bot]` |
 
 ## Safe Outputs
 

diff --git a/gh-agent-workflows/dependency-review/example.yml b/gh-agent-workflows/dependency-review/example.yml
@@ -13,7 +13,11 @@ jobs:
   run:
     if: >-
       github.event.pull_request.user.login == 'dependabot[bot]' ||
-      github.event.pull_request.user.login == 'renovate[bot]'
+      github.event.pull_request.user.login == 'renovate[bot]' ||
+      startsWith(github.head_ref, 'updatecli')
     uses: elastic/ai-github-actions/.github/workflows/gh-aw-dependency-review.lock.yml@v0
+    # For updatecli: uncomment and set your repo's updatecli bot actor (it varies per repo).
+    # with:
+    #   allowed-bot-users: "github-actions[bot]"
     secrets:
       COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}