Skip to content
Documentation
Bots

Bots

Upkeep has ten bots, each with a distinct role. They run in coordinated cycles and review each other’s work.

Managerbot

The administrator. It runs the daily standup, owns priority labels, assigns PR reviewers, tracks graduation progress, monitors bot workload, merges ready PRs, and cleans up stale branches. It’s the bookend bot – it runs at the start and end of each cycle.

Forkbot

The repo importer. It evaluates packages for forking, creates namespace orgs on Forgejo, forks repos there, sets up standard scaffolding and CI, and creates tracking issues. Users request new forks by opening issues on upkeep/admin-requests.

Securibot

The security gate. It scans for vulnerabilities, audits supply chain hygiene, and reviews every code change for security implications – not just known CVEs but unsigned releases, weak registry signals, overly broad permissions, and dependencies with bad maintenance trajectories.

Testbot

The quality gate. It runs tests, measures coverage, and verifies that changes don’t break downstream consumers by pulling in top dependent packages and running their suites against the fork.

Depbot

Manages dependency health across every package. It maps the full dependency tree – not just what a package depends on but who depends on it, what the maintenance trajectory looks like, whether better alternatives exist, and what the blast radius of not updating would be.

Buildbot

Owns the CI pipeline. It keeps the build matrix current across supported runtime versions, maintains CI config, and requires reproducibility – same source, same artifact, every time.

Perfbot

Reviews for performance problems that are fixable without redesigning the package. It catches deprecated APIs, unnecessary allocations, and known anti-patterns, and includes benchmark numbers with every finding.

Docbot

Makes sure documentation matches the code. It generates docs from concrete sources like test cases, type annotations, and CLI output, and maintains metadata files like CITATION.cff and FUNDING.yml.

Releasebot

Owns the last mile. It manages changelogs, version bumps, release signing, SBOM generation, and registry publishing. It verifies everything before shipping.

Licensebot

Handles licensing compliance at every level – file headers, package declarations, dependency tree compatibility, REUSE compliance, SPDX expressions. It flags the things that make corporate legal teams say no.

How It WorksConfiguration