chore: group Dependabot updates and fix auto-merge method#32
Merged
JohnRDOrazio merged 2 commits intomainfrom May 2, 2026
Merged
chore: group Dependabot updates and fix auto-merge method#32JohnRDOrazio merged 2 commits intomainfrom
JohnRDOrazio merged 2 commits intomainfrom
Conversation
- Group npm and github-actions minor/patch bumps into single weekly PRs (majors stay individual so they retain human review). - Add a header comment recording the action-pin policy: workflows must reference third-party actions by commit SHA with a trailing version comment, and Dependabot rewrites both atomically. Tag-only pins are forbidden. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…merge The repo only allows merge commits (allow_squash_merge and allow_rebase_merge are both off). The auto-merge workflow was calling 'gh pr merge --auto --squash', which the GitHub merge endpoint rejects with 'Squash merges are not allowed on this repository'. Every recent non-major Dependabot PR failed at the merge step; only major-version runs passed because their merge step was filtered out by the update-type guard, masking the breakage. Switching to '--merge' aligns the workflow with the repo's merge policy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related changes to make the Dependabot pipeline both quieter and actually functional.
1.
chore(deps)— group minor/patch updates and document the SHA-pin policynpmandgithub-actionsnow batch into one weekly PR per ecosystem instead of one per dependency. Majors stay ungrouped so they keep human review..github/dependabot.ymlrecords that workflow files must reference third-party actions by commit SHA with a trailing version comment (actions/checkout@<sha> # v6). Dependabot rewrites both the SHA and the comment atomically; tag-only pins are forbidden because they widen the trust surface silently.2.
fix(actions)— use merge commit instead of squash for Dependabot auto-mergeThe repo allows merge commits only (
allow_squash_mergeandallow_rebase_mergeare both off). The auto-merge workflow was callinggh pr merge --auto --squash, which the GitHub merge endpoint rejected withSquash merges are not allowed on this repository. Every recent non-major Dependabot PR failed at the merge step; only major-version runs passed, because their merge step was filtered out by theupdate-typeguard — that masked the breakage in the run history.Switching to
--mergealigns the workflow with the repo's policy.Test plan
@dependabot recreateon each non-major open Dependabot PR (chore(actions): Bump pandoc/actions from ae312111f8aecde13e11672badd8c90a26b036c0 to 86321b6dd4675f5014c611e05088e10d4939e09e #27, chore(actions): Bump actions/setup-node from 6.3.0 to 6.4.0 #28, chore(deps): Bump markdownlint-cli2 from 0.22.0 to 0.22.1 #29, chore(deps): Bump prettier from 3.8.1 to 3.8.3 #31) so the new workflow re-evaluates them; verify auto-merge enables and the merge succeeds with a merge commitpandoc/actionsSHA bump) — Dependabot rendered it as a raw-SHA-only title. Verify the resulting workflow diff still keeps the trailing# v...comment intact rather than stripping it