File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 44#
55# Supported ecosystems:
66# - uv: Python dependencies via pyproject.toml and uv.lock (GA since March 2025)
7+ # - npm: TypeScript client deps via packages/katana-client/package-lock.json
8+ # (the lockfile CI gates with `npm ci` in the typescript-client job)
79# - github-actions: Workflow action versions
810# - docker: Base images in Dockerfiles
911#
@@ -36,6 +38,31 @@ updates:
3638 prefix : " chore(deps)"
3739 include : " scope"
3840
41+ # TypeScript client (npm — packages/katana-client/package-lock.json)
42+ # This is the lockfile CI installs from (`npm ci` in the typescript-client job).
43+ # The root pnpm workspace lockfile is not gated by CI, so it's intentionally
44+ # not tracked here to avoid churning a lockfile nothing verifies.
45+ - package-ecosystem : " npm"
46+ directory : " /packages/katana-client"
47+ schedule :
48+ interval : " weekly"
49+ day : " monday"
50+ time : " 09:00"
51+ timezone : " UTC"
52+ open-pull-requests-limit : 10
53+ labels :
54+ - " dependencies"
55+ - " typescript"
56+ groups :
57+ # Group minor/patch updates to reduce PR noise
58+ npm-minor-patch :
59+ update-types :
60+ - " minor"
61+ - " patch"
62+ commit-message :
63+ prefix : " chore(deps)"
64+ include : " scope"
65+
3966 # GitHub Actions
4067 - package-ecosystem : " github-actions"
4168 directory : " /"
Original file line number Diff line number Diff line change 123123[ Automated Dependency Management] ( ../../docs/MONOREPO_SEMANTIC_RELEASE.md#automated-dependency-management )
124124for details.
125125
126+ ### [ dependabot-auto-merge.yml] ( dependabot-auto-merge.yml )
127+
128+ ** Trigger:** ` pull_request_target ` on Dependabot PRs
129+
130+ ** Purpose:** Enable GitHub native auto-merge on low-risk Dependabot PRs so they merge
131+ once required CI checks pass
132+
133+ ** Steps:**
134+
135+ - Read update metadata via ` dependabot/fetch-metadata `
136+ - For patch/minor updates, run ` gh pr merge --auto --squash `
137+ - Major version bumps are skipped and left for human review
138+
139+ ** Permissions:** ` contents: write ` , ` pull-requests: write `
140+
141+ ** Requires:** "Allow auto-merge" enabled in repo settings, and branch protection on
142+ ` main ` with required status checks (auto-merge waits for green; it never bypasses a
143+ failing check).
144+
126145### [ copilot-setup-steps.yml] ( copilot-setup-steps.yml )
127146
128147** Type:** Reusable workflow
Original file line number Diff line number Diff line change 1+ name : Dependabot auto-merge
2+
3+ # Enable GitHub's native auto-merge on low-risk Dependabot PRs so they merge
4+ # themselves once required CI checks pass. Branch protection still gates the
5+ # merge — this only flips the "auto-merge when green" switch; it never bypasses
6+ # a failing check. Major version bumps are intentionally left for human review.
7+ #
8+ # Requires:
9+ # - "Allow auto-merge" enabled in repo settings (Settings → General).
10+ # - Branch protection on `main` with required status checks, so a PR cannot
11+ # merge until CI is green.
12+
13+ on : pull_request_target
14+
15+ permissions :
16+ contents : write
17+ pull-requests : write
18+
19+ jobs :
20+ auto-merge :
21+ runs-on : ubuntu-latest
22+ # Only act on PRs opened by Dependabot.
23+ if : github.actor == 'dependabot[bot]'
24+ steps :
25+ - name : Fetch Dependabot metadata
26+ id : meta
27+ uses : dependabot/fetch-metadata@v2
28+
29+ - name : Enable auto-merge for patch and minor updates
30+ # update-type is semver-major / semver-minor / semver-patch. Auto-merge
31+ # everything except majors. Grouped PRs report the highest bump in the
32+ # group, so a group containing a major is treated as a major and skipped.
33+ if : steps.meta.outputs.update-type != 'version-update:semver-major'
34+ run : gh pr merge --auto --squash "$PR_URL"
35+ env :
36+ PR_URL : ${{ github.event.pull_request.html_url }}
37+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
You can’t perform that action at this time.
0 commit comments