ci: add npm Dependabot ecosystem and Dependabot auto-merge#958
Open
dougborg wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds coverage for TypeScript (npm) dependency updates and introduces a GitHub Actions workflow to automatically enable GitHub native auto-merge for low-risk Dependabot PRs, improving the repo’s automated dependency maintenance.
Changes:
- Add
dependabot-auto-merge.ymlworkflow to enable auto-merge on qualifying Dependabot PRs. - Extend
.github/dependabot.ymlto track npm updates forpackages/katana-client(package-lock–driven CI installs). - Document the new workflow in
.github/workflows/README.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/README.md |
Documents the new Dependabot auto-merge workflow and its prerequisites. |
.github/workflows/dependabot-auto-merge.yml |
Implements the Dependabot PR auto-merge enablement via dependabot/fetch-metadata + gh pr merge --auto. |
.github/dependabot.yml |
Adds npm ecosystem updates for packages/katana-client with weekly grouped minor/patch updates. |
f28b848 to
9caf05b
Compare
9caf05b to
9be6fa9
Compare
9be6fa9 to
968e14b
Compare
968e14b to
0492ee2
Compare
Adds an npm ecosystem entry for packages/katana-client (the package-lock.json CI gates with `npm ci`), closing the TypeScript client's dependency-update gap. Adds dependabot-auto-merge.yml: enables GitHub native auto-merge on patch/minor Dependabot PRs via dependabot/fetch-metadata + `gh pr merge --auto --squash`. Major bumps are left for human review. Requires "Allow auto-merge" and branch protection with required checks (auto-merge waits for green; never bypasses). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0492ee2 to
95110cc
Compare
Comment on lines
+26
to
+30
| # Gate on the PR author from the event payload, not github.actor — actor is | ||
| # whoever triggered the event (a human editing/labeling a Dependabot PR would | ||
| # be the actor), whereas user.login is the stable PR author. This is the form | ||
| # GitHub's own Dependabot auto-merge docs use. | ||
| if: github.event.pull_request.user.login == 'dependabot[bot]' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the two gaps in our automated dependency-update story.
packages/katana-client— thepackage-lock.jsonCI actually installs from (npm ciin thetypescript-clientjob). The TypeScript client's deps previously got zero automated updates. Weekly, minor/patch grouped,chore(deps)prefix,typescriptlabel. The root pnpm workspace lockfile is intentionally not tracked (nothing in CI gates it).dependabot-auto-merge.yml— enables GitHub native auto-merge on patch/minor Dependabot PRs viadependabot/fetch-metadata+gh pr merge --auto --squash. Major bumps are left for human review.These can't be set from code:
mainwith required status checks — without required checks,--automerges on approval rather than waiting for green CI.The workflow uses
pull_request_targetbut does not check out PR code (API-only), which is the recommended safe pattern.Testing
🤖 Generated with Claude Code