Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 24 additions & 12 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,23 +1,35 @@
# Dependabot: security + version updates with a 7-day cooldown, grouped to cut churn.
# Patch/minor are auto-merged by .github/workflows/dependabot-auto-merge.yml; majors are
# left for a human (and the holistic security bot surfaces majors/no-fix advisories with
# remediation guidance). Security updates (advisory-driven) also honor the cooldown/groups.
version: 2
updates:
# Keep package.json dependencies patched. Combined with GitHub's
# Dependabot security updates (enabled in repo Settings > Security),
# this opens PRs for both routine version bumps and CVE fixes.
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
interval: "daily"
cooldown:
default-days: 7
open-pull-requests-limit: 10
labels:
- "dependencies"
commit-message:
prefix: "chore(deps)"
groups:
# Batch low-risk dev tooling updates into a single PR to cut noise.
dev-dependencies:
dependency-type: "development"
update-types:
- "minor"
- "patch"
npm-minor-patch:
update-types: ["minor", "patch"]

# Keep the GitHub Actions used by these workflows up to date.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
interval: "daily"
cooldown:
default-days: 7
open-pull-requests-limit: 10
labels:
- "dependencies"
commit-message:
prefix: "chore(actions)"
groups:
actions-minor-patch:
update-types: ["minor", "patch"]
33 changes: 33 additions & 0 deletions .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Dependabot auto-merge

# Auto-merge Dependabot's patch/minor updates once required checks pass; leave majors for
# a human. Rule-based (semver) — the deeper, investigating merge judgment lives in the
# separate holistic security bot.
on: pull_request

permissions:
contents: write
pull-requests: write

jobs:
auto-merge:
if: ${{ github.actor == 'dependabot[bot]' }}
runs-on: ubuntu-latest
steps:
- name: Fetch Dependabot metadata
id: meta
uses: dependabot/fetch-metadata@v2

- name: Auto-merge patch/minor
if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor' }}
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr merge --auto --squash "$PR_URL"

- name: Leave majors for a human
if: ${{ steps.meta.outputs.update-type == 'version-update:semver-major' }}
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh pr comment "$PR_URL" --body "🚧 Major update — not auto-merged (policy: auto-merge patch/minor only). Leaving for human review."
Loading