A few years ago, I came here to share this side project that I was building.

At the time, my problem was simple, I kept forgetting to update files across Git repositories, and none of the tools available to me could cover all my use cases without extensive scripting. So I decided to build a declarative update policy engine for crafting tailored update workflows.

I needed a way to define, what information to monitor, which files to update, the conditions required before applying changes, and finally a way to push the changes on a Git repository

Whether it was documentation, dependency management, or release orchestration, the goal was always the same: stop forgetting updates across repositories.

Back then, I received a lot of great feedback, but I also noticed that people were sometimes confused about how Updatecli differs from Renovatebot or Dependabot. So before going further, let me clarify that point.

Renovatebot and Dependabot are excellent tools, easy to use and requiring very little configuration. I still use them regularly. But they primarily focus on dependency updates, while Updatecli is designed for custom update workflows at the cost of writing and maintaining YAML manifests.

On new projects, I usually enable Renovatebot or Dependabot by default, and then use Updatecli for workflows not supported by those tools.

Here is the link to the previous discussion: https://news.ycombinator.com/item?id=30286047

A few years have passed since then, and the project evolved significantly, thanks to all contributors.

Today, Updatecli can declaratively manage updates across most Git platforms including GitHub, GitLab, Forgejo, etc.

It now ships with 30+ built-in integrations covering: * structured files like YAML, JSON, TOML, XML, HCL, CSV, Dockerfiles, and arbitrary text files * package ecosystems including Helm, NPM, PyPI, Maven, Cargo, Go modules, and Terraform * container registries and OCI artifacts * Git releases, tags, and branches * cloud resources like AWS AMIs * shell scripts and HTTP endpoints for custom workflows

More information on https://www.updatecli.io

One important feature we added is shared policy support. An Updatecli policy can now be distributed through OCI registries and reuse from different places using an Updatecli compose file.

For example, the following policy:

* ghcr.io/updatecli/policies/autodiscovery/githubaction:0.4.1

Will automatically discover repositories in a GitHub organization and update GitHub Action versions to the latest digest. One use case is enforcing pinned GitHub Action digests across repositories to help reduce supply-chain risks. The reusable policy is customized using a small values file:

— scm: enabled: true kind: githubsearch search: | org:updatecli fork:true archived:false branch: "^main$" limit: 1 —

Then:

``` export UPDATECLI_GITHUB_TOKEN=<insert GitHub PAT> export UPDATECLI_GITHUB_USERNAME=<insert username associated with PAT>

updatecli diff --values values.yaml \ ghcr.io/updatecli/policies/autodiscovery/githubaction:latest ```

Running this periodically from CI helps keep repositories compliant with the desired update policy.

Lately, I’ve also been making good progress with a monitoring UI called Udash to visualize Updatecli reports across repositories. You can take a look at https://app.uda.sh/updatecli/ for a public endpoint.

My goal is to quickly assess the update state of projects and understand how automation behaves across repositories.

It’s still very early, but fully open source.

Update automation is a surprisingly broad topic, and difficult to summarize in a single post, so feel free to ask any questions. I’d also be curious to hear how others here handle large-scale repository maintenance and update orchestration.

How to Build Your Own AI Benchmark

Meta now lets you add music to Instagram Reels via API

We used Quint to find over 10 bugs in SQLite while hardening Turso

8 Years of Clojure

Many Paths of the Collatz Conjecture

Show HN: Noxu DB, a Rust Port of Berkeley DB Java Edition

Show HN: Updatecli – A Declarative Update Policy Engine

Colonization of Venus

TeamPCP compromises NPM maintainer with over 540 packages

Claude Code may now request webcam access to assure user is present

U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub

A Technical Deep Dive into the New Raycast

TanStack weighs invitation-only pull requests after supply chain attack

The Librarian – 7.1M-node knowledge graph beats vector search

Alloy: Code/SDK Generation Framework

FinOps for AI: per-commit cost attribution

The Smart Bookmark for Physical Books

Manchester Code Made Bits Behave

Speed Kills: Exploring Confused Deputy Attacks Through Edge AI Accelerators

Show HN: Auditledge – Hosted Audit Log API for SaaS

UMAI Core CE – An eBPF semantic firewall for AI protocols

NASA Draws on Industry for Mars Telecommunications Network

Human Bottlenecks

Free tool to build Options Apps with your coding agent

SIMD-accelerated integer-to-string conversion

Intellectual Control

Apache Druid 37.0.0

Tears – vibe code responsibly with tiered trust levels

Git-Backed SaaS: SaaS Without a Service

Spork: A posix_spawn you can use as a fork

Ask HN: Are you running production workloads in Pytorch eager mode?