Skip to content

Commit 4a52caa

Browse files
authored
fix(ci): reduce dependabot backlog and harden API guards
Reduce Dependabot PR churn, fix auto-merge workflow guards, and harden API JSON/WebDAV validation.
1 parent b0eb3da commit 4a52caa

5 files changed

Lines changed: 179 additions & 60 deletions

File tree

.github/dependabot.yml

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,10 @@ updates:
77
- package-ecosystem: "npm"
88
directory: "/"
99
schedule:
10-
interval: "weekly"
11-
day: "monday"
10+
interval: "monthly"
1211
time: "09:00"
1312
timezone: "Asia/Shanghai"
14-
open-pull-requests-limit: 3
13+
open-pull-requests-limit: 1
1514
labels:
1615
- "dependencies"
1716
commit-message:
@@ -31,11 +30,10 @@ updates:
3130
- package-ecosystem: "npm"
3231
directory: "/client"
3332
schedule:
34-
interval: "weekly"
35-
day: "monday"
33+
interval: "monthly"
3634
time: "09:00"
3735
timezone: "Asia/Shanghai"
38-
open-pull-requests-limit: 5
36+
open-pull-requests-limit: 1
3937
labels:
4038
- "dependencies"
4139
- "frontend"
@@ -56,11 +54,10 @@ updates:
5654
- package-ecosystem: "npm"
5755
directory: "/server"
5856
schedule:
59-
interval: "weekly"
60-
day: "monday"
57+
interval: "monthly"
6158
time: "09:00"
6259
timezone: "Asia/Shanghai"
63-
open-pull-requests-limit: 5
60+
open-pull-requests-limit: 1
6461
labels:
6562
- "dependencies"
6663
- "backend"
@@ -81,10 +78,10 @@ updates:
8178
- package-ecosystem: "github-actions"
8279
directory: "/"
8380
schedule:
84-
interval: "weekly"
85-
day: "monday"
81+
interval: "monthly"
8682
time: "09:00"
8783
timezone: "Asia/Shanghai"
84+
open-pull-requests-limit: 1
8885
labels:
8986
- "dependencies"
9087
commit-message:
Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
name: Dependabot Auto-Merge
22

3-
on: pull_request
3+
on:
4+
pull_request:
5+
types: [opened, synchronize, reopened, ready_for_review]
46

57
permissions:
68
pull-requests: write
@@ -9,31 +11,31 @@ permissions:
911
jobs:
1012
dependabot:
1113
runs-on: ubuntu-latest
12-
if: github.actor == 'dependabot[bot]'
14+
if: github.event.pull_request.user.login == 'dependabot[bot]' && !github.event.pull_request.draft
1315
steps:
1416
- name: Fetch Dependabot metadata
1517
id: dependabot-metadata
16-
uses: dependabot/fetch-metadata@v3
18+
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98
1719
with:
18-
github-token: "${{ secrets.GITHUB_TOKEN }}"
20+
github-token: "${{ github.token }}"
21+
22+
- name: Mark major updates for manual review
23+
if: steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major'
24+
run: gh pr edit "$PR_URL" --add-label "major-update" || true
25+
env:
26+
PR_URL: ${{ github.event.pull_request.html_url }}
27+
GH_TOKEN: ${{ github.token }}
1928

2029
- name: Auto-Approve minor/patch updates
2130
if: steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'
2231
run: gh pr review --approve "$PR_URL"
2332
env:
24-
PR_URL: ${{github.event.pull_request.html_url}}
25-
GH_TOKEN: ${{secrets.PAT_TOKEN}}
33+
PR_URL: ${{ github.event.pull_request.html_url }}
34+
GH_TOKEN: ${{ github.token }}
2635

2736
- name: Enable Auto-Merge (Squash) for minor/patch
2837
if: steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' || steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'
2938
run: gh pr merge --auto --squash "$PR_URL"
3039
env:
31-
PR_URL: ${{github.event.pull_request.html_url}}
32-
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
33-
34-
- name: Label major updates for manual review
35-
if: steps.dependabot-metadata.outputs.update-type == 'version-update:semver-major'
36-
run: gh pr edit "$PR_URL" --add-label "major-update"
37-
env:
38-
PR_URL: ${{github.event.pull_request.html_url}}
39-
GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
40+
PR_URL: ${{ github.event.pull_request.html_url }}
41+
GH_TOKEN: ${{ github.token }}

client/eslint.config.mjs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ export default [
1313
"security/detect-object-injection": "off",
1414
},
1515
},
16-
{ ignores: ["dist/", "node_modules/", "*.config.*"] },
16+
{ ignores: ["dist/", "node_modules/", ".wrangler/", "*.config.*"] },
1717
];

server/eslint.config.mjs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ export default [
1313
"security/detect-object-injection": "off",
1414
},
1515
},
16-
{ ignores: ["dist/", "node_modules/", "*.config.*"] },
16+
{ ignores: ["dist/", "node_modules/", ".wrangler/", "*.config.*"] },
1717
];

0 commit comments

Comments
 (0)