Dashboard / How to Set Up Devin for Automated Dependency Upgrade PRs with Version Pinning, Test Gates, and Changelog Generation in a Python Monorepo
inyourleague.net

How to Set Up Devin for Automated Dependency Upgrade PRs with Version Pinning, Test Gates, and Changelog Generation in a Python Monorepo

Setting Up Devin for Automated Dependency Upgrades in a Python Monorepo

Managing dependency upgrades across a Python monorepo is tedious and error-prone. Devin, the AI software engineer by Cognition, can automate the entire workflow — from detecting outdated packages, to enforcing version pinning rules, running test suites as validation gates, and generating human-readable changelog summaries for each pull request. This guide walks you through configuring Devin end-to-end so your team receives clean, validated, well-documented dependency upgrade PRs on a recurring schedule.

Prerequisites

  • A Devin workspace with API access (Team or Enterprise plan)- A Python monorepo hosted on GitHub or GitLab- A requirements.txt, pyproject.toml, or setup.cfg per package- A working CI pipeline (GitHub Actions, GitLab CI, or similar)- Repository admin access for webhook and token configuration

Step 1: Connect Your Repository to Devin

Link your monorepo through the Devin dashboard or CLI. This grants Devin read/write access to create branches and open PRs. # Install the Devin CLI pip install devin-cli

Authenticate with your API key

devin auth login —token YOUR_API_KEY

Link your monorepo

devin repo connect
—provider github
—repo your-org/python-monorepo
—branch main

Step 2: Define Version Pinning Rules

Create a .devin/dependency-policy.yaml file in the root of your monorepo. This tells Devin how aggressively to upgrade each category of dependency. # .devin/dependency-policy.yaml pinning_strategy: default: minor # Allow minor + patch upgrades by default overrides: - pattern: "django*" strategy: patch # Django: patch-only upgrades - pattern: "boto3" strategy: minor - pattern: "*test*" strategy: latest # Test dependencies can go to latest - pattern: "cryptography" strategy: patch # Security-sensitive: patch only

ignore:

  • deprecated-package
  • internal-utils # Skip internal packages

group_by: package_dir # One PR per monorepo package directory max_prs_per_run: 10 # Limit concurrent open PRs

The pinning_strategy supports patch (e.g., 2.1.x), minor (e.g., 2.x.x), latest (any version), and exact (no upgrades).

Step 3: Configure Test Suite Validation Gates

Devin needs to know which tests to run before marking an upgrade PR as ready for review. Define gates in .devin/test-gates.yaml. # .devin/test-gates.yaml gates:

  • name: unit-tests command: pytest {package_dir}/tests/ -x —timeout=300 required: true retry: 1

  • name: type-check command: mypy {package_dir}/src/ —ignore-missing-imports required: true retry: 0

  • name: integration-tests command: pytest {package_dir}/tests/integration/ -x —timeout=600 required: false # Advisory only; won’t block the PR retry: 2

  • name: security-audit command: pip-audit —requirement {package_dir}/requirements.txt required: true retry: 0

on_gate_failure: action: draft_pr # Open as draft PR with failure details notify: slack # Also notify Slack channel channel: “#dependency-updates”

The {package_dir} placeholder is dynamically replaced with each package’s directory path during execution.

Step 4: Enable Changelog Summary Generation

Add changelog configuration so Devin generates a human-readable summary in each PR body. # .devin/changelog-config.yaml changelog: enabled: true format: markdown include: - version_diff # e.g., 2.1.0 → 2.2.3 - release_notes_summary # AI-summarized release notes - breaking_changes # Flagged prominently - security_advisories # CVEs if applicable - compatibility_notes # Python version compat warnings template: | ## Dependency Upgrade Summary

**Package:** {package_name}
**Upgrade:** {old_version} → {new_version}

### What Changed
{release_summary}

### Breaking Changes
{breaking_changes}

### Security Notes
{security_notes}

---
*Generated by Devin | Gate status: {gate_status}*</code></pre>

Step 5: Create the Automation Session

Now tie everything together by creating a recurring Devin session that scans for outdated dependencies and opens PRs. # Create the automated session devin session create \ --name "dependency-upgrades" \ --repo your-org/python-monorepo \ --trigger schedule \ --cron "0 9 * * 1" \ --instruction "Scan all packages in this monorepo for outdated Python dependencies. \ Follow the pinning rules in .devin/dependency-policy.yaml. \ Run all test gates in .devin/test-gates.yaml before opening PRs. \ Generate changelog summaries per .devin/changelog-config.yaml. \ Open one PR per package directory. Mark PRs as draft if any required gate fails."

Verify the session is active

devin session list —repo your-org/python-monorepo

You can also trigger a one-off run to test your configuration: # Manual trigger for immediate testing devin session trigger —name “dependency-upgrades” —dry-run

Run for real on a single package

devin session trigger —name “dependency-upgrades” —scope packages/auth-service

Step 6: Review and Merge Workflow

Once configured, Devin will open PRs that look like this in your repository:

PR TitlePackageGate StatusAction
chore(deps): upgrade requests 2.28.1 → 2.31.0packages/api-gatewayAll passedReady for review
chore(deps): upgrade django 4.2.8 → 4.2.14packages/web-appAll passedReady for review
chore(deps): upgrade numpy 1.24.0 → 1.26.4packages/ml-pipelineIntegration failedDraft PR
## Pro Tips - **Batch similar upgrades:** Add group_by: dependency_name in your policy to combine the same dependency upgrade across all packages into a single PR.- **Priority labels:** Add labels: ["security"] to your policy overrides so security-related upgrades get auto-labeled for faster triage.- **Lock file handling:** Devin automatically regenerates poetry.lock, Pipfile.lock, and pip-compile output files when it detects them alongside your requirements.- **Custom branch naming:** Set branch_template: "devin/deps/{package}/{dependency}-{new_version}" in your policy for predictable branch names in automation scripts.- **Slack digest:** Configure digest: weekly under on_gate_failure to receive a consolidated weekly summary instead of per-PR notifications. ## Troubleshooting
IssueCauseSolution
Devin opens PRs but tests are not runningMissing test-gates.yaml or incorrect {package_dir} pathVerify the file exists at .devin/test-gates.yaml and test paths resolve correctly with --dry-run
Version pinning is ignoredPolicy file syntax error or overrides pattern not matchingRun devin policy validate .devin/dependency-policy.yaml to check syntax. Use glob patterns like "django*" not regex.
Changelog shows "No release notes found"Upstream package has no GitHub Releases or PyPI changelogThis is expected for packages without structured release notes. Devin falls back to commit log summaries.
PRs are always opened as draftsA required gate is consistently failingCheck gate logs with devin session logs --name dependency-upgrades --last-run and fix the failing test or mark the gate as required: false.
Too many PRs opened at oncemax_prs_per_run not set or set too highAdd or lower max_prs_per_run in dependency-policy.yaml. Consider grouping by dependency name.
## Frequently Asked Questions

Can Devin handle private PyPI registries and internal packages?

Yes. Configure your private registry credentials in the Devin workspace secrets under Settings → Secrets. Add a .devin/pip.conf or set PIP_INDEX_URL as an environment variable in your session configuration. Devin will use these credentials when resolving and downloading packages. Internal packages listed under the ignore key in your policy file will be skipped entirely.

How does Devin handle conflicting dependency requirements across packages in the monorepo?

Devin resolves dependencies per package directory independently. If upgrading a shared dependency would cause a version conflict between packages, Devin detects this during the test gate phase and flags it in the PR body under “Compatibility Notes.” You can also set group_by: dependency_name to force a single coordinated PR across all affected packages, which lets you resolve conflicts in one review.

What happens if a dependency upgrade introduces a breaking change that Devin cannot automatically fix?

When a required test gate fails, Devin opens the PR as a draft and includes the full error log, the changelog summary highlighting breaking changes, and a suggested remediation plan in the PR description. It will not attempt arbitrary code modifications to fix breaking changes unless you include explicit instructions in the session prompt. Your team reviews the draft, applies manual fixes, and marks it ready for merge.

Related Content

best-practicesDevin AI Team Workflow Integration Best Practices: Slack, GitHub, and Code Review Automationhow-toHow to Set Up Devin for Automated Dependency Upgrade PRs with Version Pinning, Test Gates, and Changelog Generation in a Python Monorepobest-practicesDevin Best Practices: Delegating Multi-File Refactoring with Spec Docs, Branch Isolation & Code Review Checkpoints
View All →

Explore More Tools

Grok Best Practices for Academic Research and Literature Discovery: Leveraging X/Twitter for Scholarly Intelligence Best Practices Grok Best Practices for Content Strategy: Identify Trending Topics Before They Peak and Create Content That Captures Demand Best Practices Grok Case Study: How a DTC Beauty Brand Used Real-Time Social Listening to Save Their Product Launch Case Study Grok Case Study: How a Pharma Company Tracked Patient Sentiment During a Drug Launch and Caught a Safety Signal 48 Hours Before the FDA Case Study Grok Case Study: How a Disaster Relief Nonprofit Used Real-Time X/Twitter Monitoring to Coordinate Emergency Response 3x Faster Case Study Grok Case Study: How a Political Campaign Used X/Twitter Sentiment Analysis to Reshape Messaging and Win a Swing District Case Study How to Use Grok for Competitive Intelligence: Track Product Launches, Pricing Changes, and Market Positioning in Real Time How-To Grok vs Perplexity vs ChatGPT Search for Real-Time Information: Which AI Search Tool Is Most Accurate in 2026? Comparison How to Use Grok for Crisis Communication Monitoring: Detect, Assess, and Respond to PR Emergencies in Real Time How-To How to Use Grok for Product Improvement: Extract Customer Feedback Signals from X/Twitter That Your Support Team Misses How-To How to Use Grok for Conference Live Monitoring: Extract Event Insights and Identify Networking Opportunities in Real Time How-To How to Use Grok for Influencer Marketing: Discover, Vet, and Track Influencer Partnerships Using Real X/Twitter Data How-To How to Use Grok for Job Market Analysis: Track Industry Hiring Trends, Layoff Signals, and Salary Discussions on X/Twitter How-To How to Use Grok for Investor Relations: Track Earnings Sentiment, Analyst Reactions, and Shareholder Concerns in Real Time How-To How to Use Grok for Recruitment and Talent Intelligence: Identifying Hiring Signals from X/Twitter Data How-To How to Use Grok for Startup Fundraising Intelligence: Track Investor Sentiment, VC Activity, and Funding Trends on X/Twitter How-To How to Use Grok for Regulatory Compliance Monitoring: Real-Time Policy Tracking Across Industries How-To NotebookLM Best Practices for Financial Analysts: Due Diligence, Investment Research & Risk Factor Analysis Across SEC Filings Best Practices NotebookLM Best Practices for Teachers: Build Curriculum-Aligned Lesson Plans, Study Guides, and Assessment Materials from Your Own Resources Best Practices NotebookLM Case Study: How an Insurance Company Built a Claims Processing Training System That Cut Errors by 35% Case Study