Skip to content

Commit 95110cc

Browse files
dougborgclaude
andcommitted
ci: add npm Dependabot ecosystem and Dependabot auto-merge
Adds an npm ecosystem entry for packages/katana-client (the package-lock.json CI gates with `npm ci`), closing the TypeScript client's dependency-update gap. Adds dependabot-auto-merge.yml: enables GitHub native auto-merge on patch/minor Dependabot PRs via dependabot/fetch-metadata + `gh pr merge --auto --squash`. Major bumps are left for human review. Requires "Allow auto-merge" and branch protection with required checks (auto-merge waits for green; never bypasses). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent bd191a2 commit 95110cc

3 files changed

Lines changed: 97 additions & 1 deletion

File tree

.github/dependabot.yml

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@
44
#
55
# Supported ecosystems:
66
# - uv: Python dependencies via pyproject.toml and uv.lock (GA since March 2025)
7+
# - npm: TypeScript client deps via packages/katana-client/package-lock.json
8+
# (the lockfile CI gates with `npm ci` in the typescript-client job)
79
# - github-actions: Workflow action versions
810
# - docker: Base images in Dockerfiles
911
#
@@ -36,6 +38,31 @@ updates:
3638
prefix: "chore(deps)"
3739
include: "scope"
3840

41+
# TypeScript client (npm — packages/katana-client/package-lock.json)
42+
# This is the lockfile CI installs from (`npm ci` in the typescript-client job).
43+
# The root pnpm workspace lockfile is not gated by CI, so it's intentionally
44+
# not tracked here to avoid churning a lockfile nothing verifies.
45+
- package-ecosystem: "npm"
46+
directory: "/packages/katana-client"
47+
schedule:
48+
interval: "weekly"
49+
day: "monday"
50+
time: "09:00"
51+
timezone: "UTC"
52+
open-pull-requests-limit: 10
53+
labels:
54+
- "dependencies"
55+
- "typescript"
56+
groups:
57+
# Group minor/patch updates to reduce PR noise
58+
npm-minor-patch:
59+
update-types:
60+
- "minor"
61+
- "patch"
62+
commit-message:
63+
prefix: "chore(deps)"
64+
include: "scope"
65+
3966
# GitHub Actions
4067
- package-ecosystem: "github-actions"
4168
directory: "/"
@@ -48,7 +75,7 @@ updates:
4875
labels:
4976
- "dependencies"
5077
- "github-actions"
51-
- "ci/cd"
78+
- "ci-cd"
5279
groups:
5380
github-actions:
5481
patterns:

.github/workflows/README.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,25 @@ See
144144
[Automated Dependency Management](../../docs/MONOREPO_SEMANTIC_RELEASE.md#automated-dependency-management)
145145
for details.
146146

147+
### [dependabot-auto-merge.yml](dependabot-auto-merge.yml)
148+
149+
**Trigger:** `pull_request_target` on Dependabot PRs
150+
151+
**Purpose:** Enable GitHub native auto-merge on low-risk Dependabot PRs so they merge
152+
once required CI checks pass
153+
154+
**Steps:**
155+
156+
- Read update metadata via `dependabot/fetch-metadata`
157+
- For patch/minor updates, run `gh pr merge --auto --squash`
158+
- Major version bumps are skipped and left for human review
159+
160+
**Permissions:** `contents: write`, `pull-requests: write`
161+
162+
**Requires:** "Allow auto-merge" enabled in repo settings, and branch protection on
163+
`main` with required status checks (auto-merge waits for green; it never bypasses a
164+
failing check).
165+
147166
### [copilot-setup-steps.yml](copilot-setup-steps.yml)
148167

149168
**Type:** Reusable workflow
Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
name: Dependabot auto-merge
2+
3+
# Enable GitHub's native auto-merge on low-risk Dependabot PRs so they merge
4+
# themselves once required CI checks pass. Branch protection still gates the
5+
# merge — this only flips the "auto-merge when green" switch; it never bypasses
6+
# a failing check. Major version bumps are intentionally left for human review.
7+
#
8+
# Requires:
9+
# - "Allow auto-merge" enabled in repo settings (Settings → General).
10+
# - Branch protection on `main` with required status checks, so a PR cannot
11+
# merge until CI is green.
12+
13+
on: pull_request_target
14+
15+
# Least privilege at the workflow level; the job opts into the write scopes it
16+
# needs. Keeps any future job added here from inheriting repo write access by
17+
# default — important since this workflow runs on pull_request_target.
18+
permissions: {}
19+
20+
jobs:
21+
auto-merge:
22+
runs-on: ubuntu-latest
23+
permissions:
24+
contents: write
25+
pull-requests: write
26+
# Gate on the PR author from the event payload, not github.actor — actor is
27+
# whoever triggered the event (a human editing/labeling a Dependabot PR would
28+
# be the actor), whereas user.login is the stable PR author. This is the form
29+
# GitHub's own Dependabot auto-merge docs use.
30+
if: github.event.pull_request.user.login == 'dependabot[bot]'
31+
steps:
32+
- name: Fetch Dependabot metadata
33+
id: meta
34+
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
35+
36+
- name: Enable auto-merge for patch and minor updates
37+
# Explicit allow-list: only semver patch/minor bumps auto-merge. A bare
38+
# `!= semver-major` would also let through pep440-major (Python packages
39+
# use PEP440 versioning, and this repo has a `uv` ecosystem), plus
40+
# `indeterminate`, `in-range`/`outside-range`, and security update-types
41+
# — anything not on this list is left for human review. Grouped PRs
42+
# report the highest bump in the group, so a group containing a major
43+
# falls through to manual review.
44+
if: >-
45+
steps.meta.outputs.update-type == 'version-update:semver-patch' ||
46+
steps.meta.outputs.update-type == 'version-update:semver-minor'
47+
run: gh pr merge --auto --squash "$PR_URL"
48+
env:
49+
PR_URL: ${{ github.event.pull_request.html_url }}
50+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)