Skip to content

Commit 191ac08

Browse files
authored
Merge pull request #1590 from laststance/cursor/dependabot-automation-spec-0f66
docs: add Cursor Automation spec for stuck Dependabot PRs
2 parents 0652101 + 7f5a0e0 commit 191ac08

2 files changed

Lines changed: 121 additions & 0 deletions

File tree

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,108 @@
1+
# Automation: Merge stuck Dependabot PRs
2+
3+
Use this spec to create a **Cursor Cloud Agent Automation** at
4+
[cursor.com/automations/new](https://cursor.com/automations/new).
5+
6+
## UI settings
7+
8+
| Setting | Value |
9+
| --------------- | ------------------------------------------------------------------ |
10+
| **Name** | Merge stuck Dependabot PRs |
11+
| **Trigger** | Scheduled → Custom cron: `0 1 * * *` (daily 10:00 JST / 01:00 UTC) |
12+
| **Repository** | `laststance/create-react-app-vite` → branch `main` |
13+
| **Model** | Composer 2.5 (or latest available) |
14+
| **Permissions** | Private (or Team Owned if shared) |
15+
16+
### Tools to enable
17+
18+
- **Pull request creation** (default on)
19+
- **Comment on pull request** (optional — for skip/failure summaries)
20+
21+
## Instructions (paste into the automation prompt)
22+
23+
```text
24+
Daily Dependabot PR sweep for this repository.
25+
26+
## Goal
27+
28+
Find open Dependabot pull requests that are stuck and merge their dependency
29+
updates onto current main — the same workflow used when PRs pile up with merge
30+
conflicts.
31+
32+
## Step 1 — Discover stuck PRs
33+
34+
List open pull requests authored by `dependabot[bot]` (or with the
35+
`dependencies` label if present).
36+
37+
Treat a PR as **stuck** when ANY of these is true:
38+
39+
- `mergeable` is `CONFLICTING` or `mergeStateStatus` is `DIRTY`
40+
- The PR has been open for 3+ days with no merge
41+
- Required checks are green but the PR is still open and not auto-merging
42+
43+
If no stuck Dependabot PRs exist, reply with a one-line summary and stop.
44+
45+
## Step 2 — Try direct merge first
46+
47+
For each stuck PR that is mergeable (no conflicts):
48+
49+
1. Ensure CI would pass — run `pnpm validate` on a branch that includes the PR changes.
50+
2. Merge with `gh pr merge <number> --merge --admin`.
51+
3. Record the result.
52+
53+
Skip to Step 4 for PRs handled here.
54+
55+
## Step 3 — Resolve conflicted Dependabot PRs (bulk merge)
56+
57+
When multiple Dependabot PRs conflict with each other or with `main`:
58+
59+
1. Check out `main` and pull latest.
60+
2. Create a branch: `cursor/merge-dependabot-prs-<short-hash>`.
61+
3. Apply every pending version bump from the stuck PRs to `package.json` on
62+
current `main` (do NOT cherry-pick old Dependabot commits — they may be
63+
based on stale `main`).
64+
4. If `react` is bumped, also bump `react-dom` to the same semver range so
65+
React versions stay aligned (mismatch fails tests).
66+
5. Run `pnpm install` to refresh `pnpm-lock.yaml`.
67+
6. Run `pnpm validate` (test + lint:fix + typecheck + build). All must pass.
68+
7. Commit, push, open a PR titled
69+
`chore(deps): merge stuck Dependabot dependency updates` and reference the
70+
superseded PR numbers in the body.
71+
8. Merge that PR into `main` with `gh pr merge --merge --admin`.
72+
9. For each original Dependabot branch, run:
73+
`git push origin main:refs/heads/<dependabot-branch> --force-with-lease`
74+
so GitHub auto-closes the obsolete PRs.
75+
76+
## Step 4 — Report
77+
78+
Post a short summary (as the agent result / PR comment if enabled):
79+
80+
- PRs merged directly
81+
- PRs consolidated via bulk merge PR (with link)
82+
- PRs skipped (with reason: failing tests, major breaking bump, etc.)
83+
- Confirm zero open Dependabot PRs remain, or list any still blocked
84+
85+
## Repository constraints (from AGENTS.md)
86+
87+
- Package manager: `pnpm` only
88+
- Validation command: `pnpm validate`
89+
- Do not skip lockfile updates
90+
- `pnpm-workspace.yaml` has `minimumReleaseAge: 1440` — if install fails for
91+
a brand-new package, note it and skip that bump rather than forcing it
92+
93+
## Safety rules
94+
95+
- Do NOT merge if `pnpm validate` fails.
96+
- Do NOT force-merge major-version bumps without checking release notes for
97+
breaking changes.
98+
- Prefer one consolidated PR over merging conflicted Dependabot branches
99+
individually.
100+
- Always work on current `main`, not stale Dependabot branch bases.
101+
```
102+
103+
## After creating the automation
104+
105+
1. Open [cursor.com/automations](https://cursor.com/automations) and confirm
106+
the automation is **Active**.
107+
2. Use **Run now** once to verify it behaves as expected.
108+
3. Adjust the cron time in the UI if 10:00 JST does not suit your schedule.

AGENTS.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,16 @@ All standard commands are defined in `package.json` `scripts` — use those dire
2424

2525
- `pnpm-workspace.yaml` sets `minimumReleaseAge: 1440` (a 24h supply-chain delay). Newly published dependency versions may be temporarily unavailable to install until they age past that window; this is intentional, not a broken lockfile.
2626
- The pre-commit hook (`.husky/pre-commit``lint-staged`) auto-runs Prettier and `eslint --fix` on staged files, so commits can modify staged files.
27+
28+
### Dependabot PR sweep (scheduled automation)
29+
30+
A Cursor Cloud Agent Automation runs daily to unblock stuck Dependabot PRs.
31+
Full setup spec and prompt: `.cursor/automations/merge-stuck-dependabot-prs.md`.
32+
33+
When triggered, the agent should:
34+
35+
1. List open `dependabot[bot]` PRs and flag stuck ones (conflicts, stale, or green-but-unmerged).
36+
2. Try direct merge when possible; otherwise consolidate all pending bumps onto current `main` in one PR.
37+
3. Keep `react` and `react-dom` on the same version range when either is bumped.
38+
4. Run `pnpm install` and `pnpm validate` before merging.
39+
5. Force-update obsolete Dependabot branches to `main` so superseded PRs auto-close.

0 commit comments

Comments
 (0)