Skip to content

ci: add npm Dependabot ecosystem and Dependabot auto-merge#958

Open
dougborg wants to merge 1 commit into
mainfrom
chore/deps-npm-and-automerge
Open

ci: add npm Dependabot ecosystem and Dependabot auto-merge#958
dougborg wants to merge 1 commit into
mainfrom
chore/deps-npm-and-automerge

Conversation

@dougborg

Copy link
Copy Markdown
Owner

Summary

Closes the two gaps in our automated dependency-update story.

  • npm Dependabot ecosystem for packages/katana-client — the package-lock.json CI actually installs from (npm ci in the typescript-client job). The TypeScript client's deps previously got zero automated updates. Weekly, minor/patch grouped, chore(deps) prefix, typescript label. The root pnpm workspace lockfile is intentionally not tracked (nothing in CI gates it).
  • dependabot-auto-merge.yml — enables GitHub native auto-merge on patch/minor Dependabot PRs via dependabot/fetch-metadata + gh pr merge --auto --squash. Major bumps are left for human review.

⚠️ Repo-settings prerequisites for auto-merge

These can't be set from code:

  1. Settings → General → "Allow auto-merge" must be enabled.
  2. Branch protection on main with required status checks — without required checks, --auto merges on approval rather than waiting for green CI.

The workflow uses pull_request_target but does not check out PR code (API-only), which is the recommended safe pattern.

Testing

  • YAML validated; pre-commit suite (mdformat, yamllint, pytest) green.

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings June 14, 2026 19:01

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds coverage for TypeScript (npm) dependency updates and introduces a GitHub Actions workflow to automatically enable GitHub native auto-merge for low-risk Dependabot PRs, improving the repo’s automated dependency maintenance.

Changes:

  • Add dependabot-auto-merge.yml workflow to enable auto-merge on qualifying Dependabot PRs.
  • Extend .github/dependabot.yml to track npm updates for packages/katana-client (package-lock–driven CI installs).
  • Document the new workflow in .github/workflows/README.md.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/README.md Documents the new Dependabot auto-merge workflow and its prerequisites.
.github/workflows/dependabot-auto-merge.yml Implements the Dependabot PR auto-merge enablement via dependabot/fetch-metadata + gh pr merge --auto.
.github/dependabot.yml Adds npm ecosystem updates for packages/katana-client with weekly grouped minor/patch updates.

Comment thread .github/workflows/dependabot-auto-merge.yml Outdated
@dougborg dougborg force-pushed the chore/deps-npm-and-automerge branch from f28b848 to 9caf05b Compare June 16, 2026 00:16
@dougborg dougborg requested a review from Copilot June 16, 2026 01:26
@dougborg dougborg force-pushed the chore/deps-npm-and-automerge branch from 9caf05b to 9be6fa9 Compare June 16, 2026 01:27

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/dependabot-auto-merge.yml Outdated
Copilot AI review requested due to automatic review settings June 16, 2026 01:31
@dougborg dougborg force-pushed the chore/deps-npm-and-automerge branch from 9be6fa9 to 968e14b Compare June 16, 2026 01:31

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Comment thread .github/dependabot.yml
Comment thread .github/workflows/dependabot-auto-merge.yml Outdated
@dougborg dougborg force-pushed the chore/deps-npm-and-automerge branch from 968e14b to 0492ee2 Compare June 16, 2026 15:47
Adds an npm ecosystem entry for packages/katana-client (the package-lock.json
CI gates with `npm ci`), closing the TypeScript client's dependency-update gap.

Adds dependabot-auto-merge.yml: enables GitHub native auto-merge on patch/minor
Dependabot PRs via dependabot/fetch-metadata + `gh pr merge --auto --squash`.
Major bumps are left for human review. Requires "Allow auto-merge" and branch
protection with required checks (auto-merge waits for green; never bypasses).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 16, 2026 16:50
@dougborg dougborg force-pushed the chore/deps-npm-and-automerge branch from 0492ee2 to 95110cc Compare June 16, 2026 16:50

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment on lines +26 to +30
# Gate on the PR author from the event payload, not github.actor — actor is
# whoever triggered the event (a human editing/labeling a Dependabot PR would
# be the actor), whereas user.login is the stable PR author. This is the form
# GitHub's own Dependabot auto-merge docs use.
if: github.event.pull_request.user.login == 'dependabot[bot]'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants