Skip to content

Commit f92485f

Browse files
chore: sync dependabot config from template (#10)
Tiered auto-merge: patch/minor grouped and auto-merged on green CI; majors open individual PRs for deliberate review. TS/Node majors ignored here -- upgraded deliberately as project work.
1 parent 2451650 commit f92485f

2 files changed

Lines changed: 59 additions & 13 deletions

File tree

.github/dependabot.yml

Lines changed: 30 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,47 @@
11
version: 2
2+
3+
# Canonical dependabot config for npm/TypeScript repos in forgesworn.
4+
# Synced from forgesworn/.github/templates/dependabot/dependabot.npm.yml.
5+
# Edit the template, not individual repos -- run the propagator to sync.
6+
#
7+
# Tiering:
8+
# patch + minor -> grouped, auto-merged on green CI
9+
# major -> individual PR, manual review
10+
# TS / Node / framework majors -> ignored here, upgraded deliberately
11+
212
updates:
3-
# npm dependencies — rendezvous-kit has runtime dependencies,
4-
# so production bumps matter. Keep production and development
5-
# groups separate so a runtime-dep bump doesn't hide inside
6-
# a batch of devDep noise.
713
- package-ecosystem: npm
814
directory: "/"
915
schedule:
1016
interval: weekly
1117
day: monday
12-
open-pull-requests-limit: 5
13-
groups:
14-
production-dependencies:
15-
dependency-type: production
16-
dev-dependencies:
17-
dependency-type: development
18+
open-pull-requests-limit: 10
1819
commit-message:
1920
prefix: chore
2021
include: scope
21-
# GitHub Actions references in .github/workflows. Monthly is
22-
# frequent enough; a weekly cadence would produce mostly trivial
23-
# SHA bumps.
22+
groups:
23+
production-minor:
24+
dependency-type: production
25+
update-types: ["patch", "minor"]
26+
dev-minor:
27+
dependency-type: development
28+
update-types: ["patch", "minor"]
29+
ignore:
30+
- dependency-name: "typescript"
31+
update-types: ["version-update:semver-major"]
32+
- dependency-name: "@types/node"
33+
update-types: ["version-update:semver-major"]
34+
- dependency-name: "node"
35+
update-types: ["version-update:semver-major"]
36+
2437
- package-ecosystem: github-actions
2538
directory: "/"
2639
schedule:
2740
interval: monthly
41+
open-pull-requests-limit: 5
2842
commit-message:
2943
prefix: chore
3044
include: scope
45+
groups:
46+
actions-minor:
47+
update-types: ["patch", "minor"]
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: Dependabot auto-merge
2+
3+
# Auto-merges dependabot PRs for patch/minor bumps once required checks pass.
4+
# Majors are never auto-merged -- they open a normal PR for deliberate review.
5+
# Security advisories always open their own PR and follow the same gate.
6+
#
7+
# Synced from forgesworn/.github/templates/dependabot/dependabot-auto-merge.yml.
8+
9+
on: pull_request
10+
11+
permissions:
12+
contents: write
13+
pull-requests: write
14+
15+
jobs:
16+
auto-merge:
17+
if: github.event.pull_request.user.login == 'dependabot[bot]'
18+
runs-on: ubuntu-latest
19+
steps:
20+
- name: Fetch dependabot metadata
21+
id: meta
22+
uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0
23+
24+
- name: Enable auto-merge for patch/minor
25+
if: steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor'
26+
env:
27+
PR_URL: ${{ github.event.pull_request.html_url }}
28+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
29+
run: gh pr merge --auto --squash --delete-branch "$PR_URL"

0 commit comments

Comments
 (0)