Skip to content

Commit 27ff9a7

Browse files
committed
fix(ci): group dependabot updates and harden release workflow
Group Dependabot version updates by ecosystem so related bumps land in one PR: github-actions and devcontainers each group all patterns, while npm groups non-breaking (minor and patch) updates and keeps the existing pnpm release cooldown. Pin the weekly schedule explicitly to monday across all three ecosystems. Move the release-please config and manifest into .github (dropping the leading dot from the manifest) and point the action at them via config-file and manifest-file. Add a reattribute job that rewrites the release-PR commit author to github-actions[bot] since the action commits as the PAT owner, and mark it continue-on-error because the PR branch may already be deleted when it runs. Switch the release-please and dependabot auto-merge approval tokens to the GH_PAT so the bot can trigger workflows and its approval counts, and skip the greetings job for dependabot[bot]. Relocate CODEOWNERS into .github and add the Dependabot-managed paths (package manifest, workflows, devcontainer) co-owned by @iwf-web/ci so the bot's auto-approval satisfies the code-owner requirement. Add a devcontainer-lock.json pinning feature digests. Align the AGENTS.md intro wording and note that CLAUDE.md imports it via @AGENTS.md. Extend the LICENSE copyright to 2025-2026, add the Keep a Changelog header, and bump the pinned pnpm to 11.9.0.
1 parent 3492977 commit 27ff9a7

13 files changed

Lines changed: 121 additions & 10 deletions
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"features": {
3+
"ghcr.io/devcontainers-extra/features/act:1": {
4+
"version": "1.0.15",
5+
"resolved": "ghcr.io/devcontainers-extra/features/act@sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c",
6+
"integrity": "sha256:db4a2194930d1f7ec62822d4f600dd2fa4aff3c33b98cdb0b578b64ffb10924c"
7+
},
8+
"ghcr.io/devcontainers/features/common-utils:2": {
9+
"version": "2.5.9",
10+
"resolved": "ghcr.io/devcontainers/features/common-utils@sha256:cb0c4d3c276f157eed17935747e364178d75fee17f55c4e129966f64633deb3a",
11+
"integrity": "sha256:cb0c4d3c276f157eed17935747e364178d75fee17f55c4e129966f64633deb3a"
12+
},
13+
"ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
14+
"version": "1.10.0",
15+
"resolved": "ghcr.io/devcontainers/features/docker-outside-of-docker@sha256:c2c2cf829505ead8e4892c88c31b6594ae94a2bbb209e16e1fac456c1a3a624e",
16+
"integrity": "sha256:c2c2cf829505ead8e4892c88c31b6594ae94a2bbb209e16e1fac456c1a3a624e"
17+
},
18+
"ghcr.io/devcontainers/features/github-cli:1": {
19+
"version": "1.1.0",
20+
"resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671",
21+
"integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671"
22+
},
23+
"ghcr.io/devcontainers/features/node:2": {
24+
"version": "2.1.0",
25+
"resolved": "ghcr.io/devcontainers/features/node@sha256:586c9a6f7dd40bd3ba2cd41e7f2f88dcc31fbe5d1442afcbf07ffbc66b686857",
26+
"integrity": "sha256:586c9a6f7dd40bd3ba2cd41e7f2f88dcc31fbe5d1442afcbf07ffbc66b686857"
27+
}
28+
}
29+
}

.github/CODEOWNERS

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
2+
# Last matching pattern wins. Only ONE listed owner needs to approve, not all.
3+
4+
# Default owner for everything.
5+
* @D3strukt0r
6+
7+
# Files Dependabot manages — @iwf-web/CI (incl. the bot user) can also review,
8+
# so the bot's auto-approval satisfies the code-owner requirement on these paths.
9+
# npm
10+
/package.json @D3strukt0r @iwf-web/CI
11+
# github-actions
12+
/.github/workflows/ @D3strukt0r @iwf-web/CI
13+
# devcontainers
14+
/.devcontainer/ @D3strukt0r @iwf-web/CI

.github/dependabot.yml

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,14 @@ updates:
1313
labels:
1414
- "dependabot :robot:"
1515
schedule:
16-
interval: weekly # on monday
16+
interval: weekly
17+
day: monday
1718
time: '09:30'
1819
timezone: Europe/Zurich
20+
groups:
21+
github-actions:
22+
patterns:
23+
- "*"
1924

2025
- package-ecosystem: devcontainers
2126
directory: /
@@ -24,8 +29,13 @@ updates:
2429
- "dependabot :robot:"
2530
schedule:
2631
interval: weekly
32+
day: monday
2733
time: '09:30'
2834
timezone: Europe/Zurich
35+
groups:
36+
devcontainers:
37+
patterns:
38+
- "*"
2939

3040
- package-ecosystem: npm # pnpm
3141
directory: /
@@ -34,7 +44,13 @@ updates:
3444
- "dependabot :robot:"
3545
schedule:
3646
interval: weekly
47+
day: monday
3748
time: '09:30'
3849
timezone: Europe/Zurich
3950
cooldown:
4051
default-days: 1 # Match pnpm 11 default minimumReleaseAge (1440 min = 1 day)
52+
groups:
53+
npm-non-breaking:
54+
update-types:
55+
- minor
56+
- patch

.github/workflows/dependabot-automerge.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
if: steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch'
3030
env:
3131
PR_URL: ${{ github.event.pull_request.html_url }}
32-
GITHUB_TOKEN: ${{ github.token }}
32+
GITHUB_TOKEN: ${{ secrets.GH_PAT }}
3333
run: |
3434
gh pr checkout "$PR_URL" # sets the upstream metadata for `gh pr status`
3535
if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ]; then

.github/workflows/greetings.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ jobs:
1616
greeting:
1717
name: Greet First-Time Contributors
1818
runs-on: ubuntu-latest
19+
if: github.actor != 'dependabot[bot]'
1920

2021
steps:
2122
- name: Greet First-Time Contributors

.github/workflows/release.yml

Lines changed: 51 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,60 @@ jobs:
1414
pull-requests: write
1515
outputs:
1616
release_created: ${{ steps.release.outputs.release_created }}
17+
# Non-empty JSON when release-please created or updated a release PR
18+
# this run. Used by `reattribute` below to decide whether to amend.
19+
pr: ${{ steps.release.outputs.pr }}
1720
steps:
1821
- name: Create Release PR
19-
uses: googleapis/release-please-action@v5
2022
id: release
23+
uses: googleapis/release-please-action@v5
24+
with:
25+
config-file: .github/release-please-config.json
26+
manifest-file: .github/release-please-manifest.json
27+
# Bot PAT with access to Workflows
28+
# The built-in GITHUB_TOKEN has cannot trigger other workflows
29+
token: ${{ secrets.GH_PAT }}
30+
31+
# release-please-action commits the release PR's contents as the PAT
32+
# owner (the action has no input to override the commit author). Re-attribute
33+
# to github-actions[bot] so the PR shows the bot as author instead of the
34+
# person the PAT belongs to.
35+
reattribute:
36+
needs: release-please
37+
if: ${{ needs.release-please.outputs.pr != '' }}
38+
runs-on: ubuntu-latest
39+
permissions:
40+
contents: write
41+
# Cosmetic best-effort: rewrites the release-PR commit author to the bot. If
42+
# the release PR is merged before this runs, its branch is deleted and the
43+
# checkout below can't fetch it — don't fail the release workflow over that.
44+
continue-on-error: true
45+
env:
46+
# release-please's branch name varies by config (`release-please--branches--<base>`
47+
# for single-package, with extra `--components--<name>` segments for component mode).
48+
# The action emits the PR object as JSON — pull `headBranchName` from it instead of
49+
# guessing the pattern.
50+
PR_BRANCH: ${{ fromJSON(needs.release-please.outputs.pr).headBranchName }}
51+
steps:
52+
- name: Checkout release-please branch
53+
uses: actions/checkout@v7
54+
with:
55+
token: ${{ secrets.GH_PAT }}
56+
ref: ${{ env.PR_BRANCH }}
57+
fetch-depth: 2
58+
59+
- name: Configure git
60+
run: |
61+
git config user.name "github-actions[bot]"
62+
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
63+
64+
- name: Amend release commit as github-actions[bot]
65+
run: |
66+
set -euo pipefail
67+
# --reset-author rewrites both author and committer to the configured
68+
# identity; --no-edit keeps the existing commit message verbatim.
69+
git commit --amend --reset-author --no-edit
70+
git push origin "$PR_BRANCH" --force-with-lease
2171
2272
publish:
2373
needs: release-please

AGENTS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# AGENTS.md
22

3-
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
3+
This file provides guidance to coding agents (Claude Code, etc.) when working with code in this repository. `CLAUDE.md` simply imports this file via `@AGENTS.md`.
44

55
## Project Overview
66

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
# Changelog
22

3+
All notable changes to this project will be documented in this file.
4+
5+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7+
38
## [1.1.0](https://github.com/iwf-web/eslint-coding-standard/compare/1.0.0...1.1.0) (2026-03-25)
49

510

0 commit comments

Comments
 (0)