README
¶
VersionConductor
Automated dependency PR management and maintenance releases for GitHub repositories.
Part of the DevOpsOrchestra suite alongside PipelineConductor.
Features
- Scan - Find Renovate/Dependabot PRs across organizations
- Review - Auto-approve dependency PRs based on Cedar policies
- Merge - Auto-merge approved PRs with configurable strategies
- Release - Create maintenance releases when dependencies are updated
Installation
go install github.com/grokify/versionconductor/cmd/versionconductor@latest
Quick Start
Set your GitHub token:
export GITHUB_TOKEN=ghp_your_token_here
Scan for dependency PRs:
versionconductor scan --orgs myorg
Review PRs (dry-run by default):
versionconductor review --orgs myorg
Merge approved PRs:
versionconductor merge --orgs myorg --execute
Create maintenance releases:
versionconductor release --orgs myorg --execute
Commands
scan
List all open dependency PRs across repositories.
# Scan an organization
versionconductor scan --orgs myorg
# Scan specific repositories
versionconductor scan --repos owner/repo1,owner/repo2
# Filter by dependency bot
versionconductor scan --orgs myorg --bot renovate
# Filter by update type
versionconductor scan --orgs myorg --update-type patch,minor
# Output as JSON
versionconductor scan --orgs myorg --format json
review
Auto-approve dependency PRs that meet policy criteria.
# Dry-run (default)
versionconductor review --orgs myorg
# Actually approve
versionconductor review --orgs myorg --execute
# Use specific profile
versionconductor review --orgs myorg --profile conservative --execute
merge
Merge approved dependency PRs.
# Dry-run (default)
versionconductor merge --orgs myorg
# Actually merge
versionconductor merge --orgs myorg --execute
# Use squash merge
versionconductor merge --orgs myorg --strategy squash --execute
# Limit merges per run
versionconductor merge --orgs myorg --max-prs 5 --execute
release
Create maintenance releases for repositories with merged dependency PRs.
# Dry-run (default)
versionconductor release --orgs myorg
# Create releases
versionconductor release --orgs myorg --execute
# Only PRs merged since a date
versionconductor release --orgs myorg --since 2025-01-01 --execute
# Create as drafts for review
versionconductor release --orgs myorg --draft --execute
Merge Profiles
VersionConductor includes three built-in merge profiles:
| Profile | Description |
|---|---|
aggressive |
Merge all passing PRs immediately |
balanced |
Wait 24h, auto-merge patch and minor only |
conservative |
Wait 48h, auto-merge patch only, require approval for others |
Use profiles with the --profile flag:
versionconductor merge --orgs myorg --profile balanced --execute
Configuration
Create a .versionconductor.yaml file in your home directory or project root:
orgs:
- myorg
- anotherorg
token: ${GITHUB_TOKEN} # Will read from environment
merge:
profile: balanced
strategy: squash
delete-branch: true
release:
generate-notes: true
prefix: v
Cedar Policies
VersionConductor uses Cedar for fine-grained policy control.
Example policy for auto-merging patch updates:
permit(
principal,
action == Action::"merge",
resource
)
when {
context.pr.isDependency == true &&
context.ci.allPassed == true &&
context.pr.ageHours >= 1 &&
context.dependency.isPatch == true &&
context.pr.mergeable == true &&
context.pr.draft == false
};
Output Formats
All commands support multiple output formats:
table(default) - Human-readable text tablejson- JSON for programmatic consumptionmarkdown- Markdown for reports and documentationcsv- CSV for spreadsheet import
versionconductor scan --orgs myorg --format json
Safety Features
- Dry-run by default - All write operations require
--execute - Policy-driven - No auto-merge without explicit policy
- Rate limiting - Respects GitHub API limits
- Audit trail - All actions logged with timestamps
Development
# Clone
git clone https://github.com/grokify/versionconductor
cd versionconductor
# Build
go build ./cmd/versionconductor
# Test
go test -v ./...
# Lint
golangci-lint run
License
MIT License - see LICENSE for details.
Directories