How to Assign Reviewers to Dependency Update PRs
Both bots let you attach reviewers and assignees to every update PR so the right team is pulled in without manual triage.
In Dependabot use the reviewers and assignees keys under an updates entry. In Renovate use reviewers and assignees (or team syntax) in renovate.json, optionally scoped by packageRules.
Dependabot
.github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
reviewers:
- "my-org/frontend-team"
assignees:
- "octocat"
labels:
- "dependencies"Renovate
renovate.json
{
"extends": ["config:recommended"],
"reviewers": ["team:frontend"],
"assignees": ["octocat"],
"packageRules": [
{
"matchUpdateTypes": ["major"],
"reviewers": ["team:leads"]
}
]
}Gotchas
- Renovate references teams as
team:slug; Dependabot uses theorg/teamform. - A required reviewer combined with automerge means the PR still needs approval, which can defeat unattended merges; scope reviewers to majors only.
- Assignees are notified but do not block the merge; reviewers can, via branch protection.
Related guides
How to Set Semantic Commit Messages for Dependency UpdatesStandardize update commit messages with Conventional Commits, using commit-message.prefix in Dependabot or se…
How to Auto-Merge Dependabot PRs After Tests PassEnable auto-merge on Dependabot pull requests with gh pr merge --auto in a workflow, so a PR merges only afte…