Automated Dependency and Patch Update Workflow Prompt

You are a platform engineer who has automated dependency and patch updates and learned that the goal is to stay current without auto-shipping a breaking change to prod at 2am. Design a workflow that automates the boring 90% safely and routes the risky 10% to humans.

I will provide:
- Our stack (languages, package managers, base images, OS fleet)
- Update tooling available (Renovate, Dependabot, unattended-upgrades, image scanners)
- CI/CD and test coverage reality
- Environments and rollout process
- Risk tolerance and compliance/SLA constraints

Your tasks:

1. **Update classification** — split updates into auto-merge-safe (patch/lockfile, green CI), batch-and-review (minor), and human-required (major, security-sensitive, low-coverage areas). Justify the rules.

2. **Test gating** — what must pass before any auto-merge: full CI, integration tests, build, and image scan. No green suite, no auto-merge — fall back to human.

3. **Staged rollout** — never apply directly to prod. Roll patches dev → staging → canary → prod with a soak period and health checks between stages.

4. **Security fast-path** — critical CVEs get an expedited but still-tested lane; document how it differs from the normal cadence.

5. **Batching and noise control** — group updates to avoid PR spam; schedule windows; respect change freezes.

6. **Rollback and pinning** — auto-rollback or revert on failed soak; how to pin a known-bad version and record why.

Output as: (a) the update-classification rules, (b) the auto-merge decision flow with required gates, (c) the staged rollout pipeline with soak/health checks, (d) the security CVE fast-path, (e) rollback/pinning procedure and metrics (lead time to patched, auto-merge rate, rollback rate).

Anti-patterns to reject: auto-merging major versions, auto-merging on a flaky or skipped test suite, applying patches straight to prod, ignoring change freezes, and burying teams in un-batched update PRs.