diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8c89b28..21d66b0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,23 +1,35 @@ +# Dependabot: security + version updates with a 7-day cooldown, grouped to cut churn. +# Patch/minor are auto-merged by .github/workflows/dependabot-auto-merge.yml; majors are +# left for a human (and the holistic security bot surfaces majors/no-fix advisories with +# remediation guidance). Security updates (advisory-driven) also honor the cooldown/groups. version: 2 updates: - # Keep package.json dependencies patched. Combined with GitHub's - # Dependabot security updates (enabled in repo Settings > Security), - # this opens PRs for both routine version bumps and CVE fixes. - package-ecosystem: "npm" directory: "/" schedule: - interval: "weekly" + interval: "daily" + cooldown: + default-days: 7 open-pull-requests-limit: 10 + labels: + - "dependencies" + commit-message: + prefix: "chore(deps)" groups: - # Batch low-risk dev tooling updates into a single PR to cut noise. - dev-dependencies: - dependency-type: "development" - update-types: - - "minor" - - "patch" + npm-minor-patch: + update-types: ["minor", "patch"] - # Keep the GitHub Actions used by these workflows up to date. - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "daily" + cooldown: + default-days: 7 + open-pull-requests-limit: 10 + labels: + - "dependencies" + commit-message: + prefix: "chore(actions)" + groups: + actions-minor-patch: + update-types: ["minor", "patch"] diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000..2a9747a --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,33 @@ +name: Dependabot auto-merge + +# Auto-merge Dependabot's patch/minor updates once required checks pass; leave majors for +# a human. Rule-based (semver) — the deeper, investigating merge judgment lives in the +# separate holistic security bot. +on: pull_request + +permissions: + contents: write + pull-requests: write + +jobs: + auto-merge: + if: ${{ github.actor == 'dependabot[bot]' }} + runs-on: ubuntu-latest + steps: + - name: Fetch Dependabot metadata + id: meta + uses: dependabot/fetch-metadata@v2 + + - name: Auto-merge patch/minor + if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor' }} + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh pr merge --auto --squash "$PR_URL" + + - name: Leave majors for a human + if: ${{ steps.meta.outputs.update-type == 'version-update:semver-major' }} + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: gh pr comment "$PR_URL" --body "🚧 Major update — not auto-merged (policy: auto-merge patch/minor only). Leaving for human review."