Skip to content

Commit 9caf05b

Browse files
dougborgclaude
andcommitted
ci: add npm Dependabot ecosystem and Dependabot auto-merge
Adds an npm ecosystem entry for packages/katana-client (the package-lock.json CI gates with `npm ci`), closing the TypeScript client's dependency-update gap. Adds dependabot-auto-merge.yml: enables GitHub native auto-merge on patch/minor Dependabot PRs via dependabot/fetch-metadata + `gh pr merge --auto --squash`. Major bumps are left for human review. Requires "Allow auto-merge" and branch protection with required checks (auto-merge waits for green; never bypasses). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent aa5384f commit 9caf05b

3 files changed

Lines changed: 89 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@
44
#
55
# Supported ecosystems:
66
# - uv: Python dependencies via pyproject.toml and uv.lock (GA since March 2025)
7+
# - npm: TypeScript client deps via packages/katana-client/package-lock.json
8+
# (the lockfile CI gates with `npm ci` in the typescript-client job)
79
# - github-actions: Workflow action versions
810
# - docker: Base images in Dockerfiles
911
#
@@ -36,6 +38,31 @@ updates:
3638
prefix: "chore(deps)"
3739
include: "scope"
3840

41+
# TypeScript client (npm — packages/katana-client/package-lock.json)
42+
# This is the lockfile CI installs from (`npm ci` in the typescript-client job).
43+
# The root pnpm workspace lockfile is not gated by CI, so it's intentionally
44+
# not tracked here to avoid churning a lockfile nothing verifies.
45+
- package-ecosystem: "npm"
46+
directory: "/packages/katana-client"
47+
schedule:
48+
interval: "weekly"
49+
day: "monday"
50+
time: "09:00"
51+
timezone: "UTC"
52+
open-pull-requests-limit: 10
53+
labels:
54+
- "dependencies"
55+
- "typescript"
56+
groups:
57+
# Group minor/patch updates to reduce PR noise
58+
npm-minor-patch:
59+
update-types:
60+
- "minor"
61+
- "patch"
62+
commit-message:
63+
prefix: "chore(deps)"
64+
include: "scope"
65+
3966
# GitHub Actions
4067
- package-ecosystem: "github-actions"
4168
directory: "/"

.github/workflows/README.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,25 @@ See
123123
[Automated Dependency Management](../../docs/MONOREPO_SEMANTIC_RELEASE.md#automated-dependency-management)
124124
for details.
125125

126+
### [dependabot-auto-merge.yml](dependabot-auto-merge.yml)
127+
128+
**Trigger:** `pull_request_target` on Dependabot PRs
129+
130+
**Purpose:** Enable GitHub native auto-merge on low-risk Dependabot PRs so they merge
131+
once required CI checks pass
132+
133+
**Steps:**
134+
135+
- Read update metadata via `dependabot/fetch-metadata`
136+
- For patch/minor updates, run `gh pr merge --auto --squash`
137+
- Major version bumps are skipped and left for human review
138+
139+
**Permissions:** `contents: write`, `pull-requests: write`
140+
141+
**Requires:** "Allow auto-merge" enabled in repo settings, and branch protection on
142+
`main` with required status checks (auto-merge waits for green; it never bypasses a
143+
failing check).
144+
126145
### [copilot-setup-steps.yml](copilot-setup-steps.yml)
127146

128147
**Type:** Reusable workflow
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: Dependabot auto-merge
2+
3+
# Enable GitHub's native auto-merge on low-risk Dependabot PRs so they merge
4+
# themselves once required CI checks pass. Branch protection still gates the
5+
# merge — this only flips the "auto-merge when green" switch; it never bypasses
6+
# a failing check. Major version bumps are intentionally left for human review.
7+
#
8+
# Requires:
9+
# - "Allow auto-merge" enabled in repo settings (Settings → General).
10+
# - Branch protection on `main` with required status checks, so a PR cannot
11+
# merge until CI is green.
12+
13+
on: pull_request_target
14+
15+
permissions:
16+
contents: write
17+
pull-requests: write
18+
19+
jobs:
20+
auto-merge:
21+
runs-on: ubuntu-latest
22+
# Only act on PRs opened by Dependabot.
23+
if: github.actor == 'dependabot[bot]'
24+
steps:
25+
- name: Fetch Dependabot metadata
26+
id: meta
27+
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
28+
29+
- name: Enable auto-merge for patch and minor updates
30+
# Explicit allow-list: only semver patch/minor bumps auto-merge. A bare
31+
# `!= semver-major` would also let through pep440-major (Python packages
32+
# use PEP440 versioning, and this repo has a `uv` ecosystem), plus
33+
# `indeterminate`, `in-range`/`outside-range`, and security update-types
34+
# — anything not on this list is left for human review. Grouped PRs
35+
# report the highest bump in the group, so a group containing a major
36+
# falls through to manual review.
37+
if: >-
38+
steps.meta.outputs.update-type == 'version-update:semver-patch' ||
39+
steps.meta.outputs.update-type == 'version-update:semver-minor'
40+
run: gh pr merge --auto --squash "$PR_URL"
41+
env:
42+
PR_URL: ${{ github.event.pull_request.html_url }}
43+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)