|
| 1 | +# Automation: Merge stuck Dependabot PRs |
| 2 | + |
| 3 | +Use this spec to create a **Cursor Cloud Agent Automation** at |
| 4 | +[cursor.com/automations/new](https://cursor.com/automations/new). |
| 5 | + |
| 6 | +## UI settings |
| 7 | + |
| 8 | +| Setting | Value | |
| 9 | +| --------------- | ------------------------------------------------------------------ | |
| 10 | +| **Name** | Merge stuck Dependabot PRs | |
| 11 | +| **Trigger** | Scheduled → Custom cron: `0 1 * * *` (daily 10:00 JST / 01:00 UTC) | |
| 12 | +| **Repository** | `laststance/create-react-app-vite` → branch `main` | |
| 13 | +| **Model** | Composer 2.5 (or latest available) | |
| 14 | +| **Permissions** | Private (or Team Owned if shared) | |
| 15 | + |
| 16 | +### Tools to enable |
| 17 | + |
| 18 | +- **Pull request creation** (default on) |
| 19 | +- **Comment on pull request** (optional — for skip/failure summaries) |
| 20 | + |
| 21 | +## Instructions (paste into the automation prompt) |
| 22 | + |
| 23 | +```text |
| 24 | +Daily Dependabot PR sweep for this repository. |
| 25 | +
|
| 26 | +## Goal |
| 27 | +
|
| 28 | +Find open Dependabot pull requests that are stuck and merge their dependency |
| 29 | +updates onto current main — the same workflow used when PRs pile up with merge |
| 30 | +conflicts. |
| 31 | +
|
| 32 | +## Step 1 — Discover stuck PRs |
| 33 | +
|
| 34 | +List open pull requests authored by `dependabot[bot]` (or with the |
| 35 | +`dependencies` label if present). |
| 36 | +
|
| 37 | +Treat a PR as **stuck** when ANY of these is true: |
| 38 | +
|
| 39 | +- `mergeable` is `CONFLICTING` or `mergeStateStatus` is `DIRTY` |
| 40 | +- The PR has been open for 3+ days with no merge |
| 41 | +- Required checks are green but the PR is still open and not auto-merging |
| 42 | +
|
| 43 | +If no stuck Dependabot PRs exist, reply with a one-line summary and stop. |
| 44 | +
|
| 45 | +## Step 2 — Try direct merge first |
| 46 | +
|
| 47 | +For each stuck PR that is mergeable (no conflicts): |
| 48 | +
|
| 49 | +1. Ensure CI would pass — run `pnpm validate` on a branch that includes the PR changes. |
| 50 | +2. Merge with `gh pr merge <number> --merge --admin`. |
| 51 | +3. Record the result. |
| 52 | +
|
| 53 | +Skip to Step 4 for PRs handled here. |
| 54 | +
|
| 55 | +## Step 3 — Resolve conflicted Dependabot PRs (bulk merge) |
| 56 | +
|
| 57 | +When multiple Dependabot PRs conflict with each other or with `main`: |
| 58 | +
|
| 59 | +1. Check out `main` and pull latest. |
| 60 | +2. Create a branch: `cursor/merge-dependabot-prs-<short-hash>`. |
| 61 | +3. Apply every pending version bump from the stuck PRs to `package.json` on |
| 62 | + current `main` (do NOT cherry-pick old Dependabot commits — they may be |
| 63 | + based on stale `main`). |
| 64 | +4. If `react` is bumped, also bump `react-dom` to the same semver range so |
| 65 | + React versions stay aligned (mismatch fails tests). |
| 66 | +5. Run `pnpm install` to refresh `pnpm-lock.yaml`. |
| 67 | +6. Run `pnpm validate` (test + lint:fix + typecheck + build). All must pass. |
| 68 | +7. Commit, push, open a PR titled |
| 69 | + `chore(deps): merge stuck Dependabot dependency updates` and reference the |
| 70 | + superseded PR numbers in the body. |
| 71 | +8. Merge that PR into `main` with `gh pr merge --merge --admin`. |
| 72 | +9. For each original Dependabot branch, run: |
| 73 | + `git push origin main:refs/heads/<dependabot-branch> --force-with-lease` |
| 74 | + so GitHub auto-closes the obsolete PRs. |
| 75 | +
|
| 76 | +## Step 4 — Report |
| 77 | +
|
| 78 | +Post a short summary (as the agent result / PR comment if enabled): |
| 79 | +
|
| 80 | +- PRs merged directly |
| 81 | +- PRs consolidated via bulk merge PR (with link) |
| 82 | +- PRs skipped (with reason: failing tests, major breaking bump, etc.) |
| 83 | +- Confirm zero open Dependabot PRs remain, or list any still blocked |
| 84 | +
|
| 85 | +## Repository constraints (from AGENTS.md) |
| 86 | +
|
| 87 | +- Package manager: `pnpm` only |
| 88 | +- Validation command: `pnpm validate` |
| 89 | +- Do not skip lockfile updates |
| 90 | +- `pnpm-workspace.yaml` has `minimumReleaseAge: 1440` — if install fails for |
| 91 | + a brand-new package, note it and skip that bump rather than forcing it |
| 92 | +
|
| 93 | +## Safety rules |
| 94 | +
|
| 95 | +- Do NOT merge if `pnpm validate` fails. |
| 96 | +- Do NOT force-merge major-version bumps without checking release notes for |
| 97 | + breaking changes. |
| 98 | +- Prefer one consolidated PR over merging conflicted Dependabot branches |
| 99 | + individually. |
| 100 | +- Always work on current `main`, not stale Dependabot branch bases. |
| 101 | +``` |
| 102 | + |
| 103 | +## After creating the automation |
| 104 | + |
| 105 | +1. Open [cursor.com/automations](https://cursor.com/automations) and confirm |
| 106 | + the automation is **Active**. |
| 107 | +2. Use **Run now** once to verify it behaves as expected. |
| 108 | +3. Adjust the cron time in the UI if 10:00 JST does not suit your schedule. |
0 commit comments