How to Set Up Devin for Automated Dependency Upgrade PRs with Version Pinning, Test Gates, and Changelog Generation in a Python Monorepo
Setting Up Devin for Automated Dependency Upgrades in a Python Monorepo
Managing dependency upgrades across a Python monorepo is tedious and error-prone. Devin, the AI software engineer by Cognition, can automate the entire workflow — from detecting outdated packages, to enforcing version pinning rules, running test suites as validation gates, and generating human-readable changelog summaries for each pull request. This guide walks you through configuring Devin end-to-end so your team receives clean, validated, well-documented dependency upgrade PRs on a recurring schedule.
Prerequisites
- A Devin workspace with API access (Team or Enterprise plan)- A Python monorepo hosted on GitHub or GitLab- A
requirements.txt,pyproject.toml, orsetup.cfgper package- A working CI pipeline (GitHub Actions, GitLab CI, or similar)- Repository admin access for webhook and token configuration
Step 1: Connect Your Repository to Devin
Link your monorepo through the Devin dashboard or CLI. This grants Devin read/write access to create branches and open PRs.
# Install the Devin CLI
pip install devin-cli
Authenticate with your API key
devin auth login —token YOUR_API_KEY
Link your monorepo
devin repo connect
—provider github
—repo your-org/python-monorepo
—branch main
Step 2: Define Version Pinning Rules
Create a .devin/dependency-policy.yaml file in the root of your monorepo. This tells Devin how aggressively to upgrade each category of dependency.
# .devin/dependency-policy.yaml
pinning_strategy:
default: minor # Allow minor + patch upgrades by default
overrides:
- pattern: "django*"
strategy: patch # Django: patch-only upgrades
- pattern: "boto3"
strategy: minor
- pattern: "*test*"
strategy: latest # Test dependencies can go to latest
- pattern: "cryptography"
strategy: patch # Security-sensitive: patch only
ignore:
- deprecated-package
- internal-utils # Skip internal packages
group_by: package_dir # One PR per monorepo package directory
max_prs_per_run: 10 # Limit concurrent open PRs
The pinning_strategy supports patch (e.g., 2.1.x), minor (e.g., 2.x.x), latest (any version), and exact (no upgrades).
Step 3: Configure Test Suite Validation Gates
Devin needs to know which tests to run before marking an upgrade PR as ready for review. Define gates in .devin/test-gates.yaml.
# .devin/test-gates.yaml
gates:
-
name: unit-tests
command: pytest {package_dir}/tests/ -x —timeout=300
required: true
retry: 1
-
name: type-check
command: mypy {package_dir}/src/ —ignore-missing-imports
required: true
retry: 0
-
name: integration-tests
command: pytest {package_dir}/tests/integration/ -x —timeout=600
required: false # Advisory only; won’t block the PR
retry: 2
-
name: security-audit
command: pip-audit —requirement {package_dir}/requirements.txt
required: true
retry: 0
on_gate_failure:
action: draft_pr # Open as draft PR with failure details
notify: slack # Also notify Slack channel
channel: “#dependency-updates”
The {package_dir} placeholder is dynamically replaced with each package’s directory path during execution.
Step 4: Enable Changelog Summary Generation
Add changelog configuration so Devin generates a human-readable summary in each PR body.
# .devin/changelog-config.yaml
changelog:
enabled: true
format: markdown
include:
- version_diff # e.g., 2.1.0 → 2.2.3
- release_notes_summary # AI-summarized release notes
- breaking_changes # Flagged prominently
- security_advisories # CVEs if applicable
- compatibility_notes # Python version compat warnings
template: |
## Dependency Upgrade Summary
**Package:** {package_name}
**Upgrade:** {old_version} → {new_version}
### What Changed
{release_summary}
### Breaking Changes
{breaking_changes}
### Security Notes
{security_notes}
---
*Generated by Devin | Gate status: {gate_status}*</code></pre>
Step 5: Create the Automation Session
Now tie everything together by creating a recurring Devin session that scans for outdated dependencies and opens PRs.
# Create the automated session
devin session create \
--name "dependency-upgrades" \
--repo your-org/python-monorepo \
--trigger schedule \
--cron "0 9 * * 1" \
--instruction "Scan all packages in this monorepo for outdated Python dependencies. \
Follow the pinning rules in .devin/dependency-policy.yaml. \
Run all test gates in .devin/test-gates.yaml before opening PRs. \
Generate changelog summaries per .devin/changelog-config.yaml. \
Open one PR per package directory. Mark PRs as draft if any required gate fails."
Verify the session is active
devin session list —repo your-org/python-monorepo
You can also trigger a one-off run to test your configuration:
# Manual trigger for immediate testing
devin session trigger —name “dependency-upgrades” —dry-run
Run for real on a single package
devin session trigger —name “dependency-upgrades” —scope packages/auth-service
Step 6: Review and Merge Workflow
Once configured, Devin will open PRs that look like this in your repository:
PR Title Package Gate Status Action chore(deps): upgrade requests 2.28.1 → 2.31.0 packages/api-gateway All passed Ready for review chore(deps): upgrade django 4.2.8 → 4.2.14 packages/web-app All passed Ready for review chore(deps): upgrade numpy 1.24.0 → 1.26.4 packages/ml-pipeline Integration failed Draft PR
## Pro Tips
- **Batch similar upgrades:** Add group_by: dependency_name in your policy to combine the same dependency upgrade across all packages into a single PR.- **Priority labels:** Add labels: ["security"] to your policy overrides so security-related upgrades get auto-labeled for faster triage.- **Lock file handling:** Devin automatically regenerates poetry.lock, Pipfile.lock, and pip-compile output files when it detects them alongside your requirements.- **Custom branch naming:** Set branch_template: "devin/deps/{package}/{dependency}-{new_version}" in your policy for predictable branch names in automation scripts.- **Slack digest:** Configure digest: weekly under on_gate_failure to receive a consolidated weekly summary instead of per-PR notifications.
## Troubleshooting
Issue Cause Solution Devin opens PRs but tests are not running Missing test-gates.yaml or incorrect {package_dir} path Verify the file exists at .devin/test-gates.yaml and test paths resolve correctly with --dry-run Version pinning is ignored Policy file syntax error or overrides pattern not matching Run devin policy validate .devin/dependency-policy.yaml to check syntax. Use glob patterns like "django*" not regex. Changelog shows "No release notes found" Upstream package has no GitHub Releases or PyPI changelog This is expected for packages without structured release notes. Devin falls back to commit log summaries. PRs are always opened as drafts A required gate is consistently failing Check gate logs with devin session logs --name dependency-upgrades --last-run and fix the failing test or mark the gate as required: false. Too many PRs opened at once max_prs_per_run not set or set too highAdd or lower max_prs_per_run in dependency-policy.yaml. Consider grouping by dependency name.
## Frequently Asked Questions
Can Devin handle private PyPI registries and internal packages?
Yes. Configure your private registry credentials in the Devin workspace secrets under Settings → Secrets. Add a .devin/pip.conf or set PIP_INDEX_URL as an environment variable in your session configuration. Devin will use these credentials when resolving and downloading packages. Internal packages listed under the ignore key in your policy file will be skipped entirely.
How does Devin handle conflicting dependency requirements across packages in the monorepo?
Devin resolves dependencies per package directory independently. If upgrading a shared dependency would cause a version conflict between packages, Devin detects this during the test gate phase and flags it in the PR body under “Compatibility Notes.” You can also set group_by: dependency_name to force a single coordinated PR across all affected packages, which lets you resolve conflicts in one review.
What happens if a dependency upgrade introduces a breaking change that Devin cannot automatically fix?
When a required test gate fails, Devin opens the PR as a draft and includes the full error log, the changelog summary highlighting breaking changes, and a suggested remediation plan in the PR description. It will not attempt arbitrary code modifications to fix breaking changes unless you include explicit instructions in the session prompt. Your team reviews the draft, applies manual fixes, and marks it ready for merge.