governance(ci): exempt Dependabot from gate + consolidate bumps (#12-#14)#15
Merged
Merged
Conversation
Dependabot[bot] cannot author our PR template sections or the Agent:/ Consulted: commit trailers, so its PRs fail pr-body-check and commit-trailer-check on every run by construction (not a code defect). Add a job-level `if: github.actor != 'dependabot[bot]'` to those two jobs so they skip (neutral/green) for the bot. The PII/secret governance-lint job still runs on Dependabot PRs, and bumps remain reviewed via .github/dependabot.yml (license/provenance). This is a deliberate, owner-approved carve-out of the enforcement stack (SCOPE_GUARDRAILS §2.11) — it narrows two checks for a trusted, configured bot only; human/AI-agent PRs are unaffected and still fully gated. Agent: claude-code/2.1.149 Consulted: AGENTS.md, .agent/CONSTITUTION.md#VIII, .agent/SCOPE_GUARDRAILS.md#2, .agent/HANDOFF_PROTOCOL.md#3, .github/PULL_REQUEST_TEMPLATE.md Co-Authored-By: Claude <noreply@anthropic.com>
Consolidates the three new Dependabot PRs (#12-#14) as one governed commit, verified green locally (build + 312 tests). NuGet (IUUT.Cli): - Microsoft.Extensions.Logging.Console 8.0.0 -> 10.0.8 (Logging.Abstractions follows transitively; not a direct reference) GitHub Actions (release.yml, exercised only on a release tag): - actions/attest-build-provenance 1 -> 4 - softprops/action-gh-release 2 -> 3 Supersedes PRs #12, #13, #14 (closed as consolidated). Agent: claude-code/2.1.149 Consulted: AGENTS.md, .agent/CONSTITUTION.md#VIII, .agent/SCOPE_GUARDRAILS.md#1,#2, .agent/SECURITY_PROTOCOL.md#8, .github/dependabot.yml Co-Authored-By: Claude <noreply@anthropic.com> Handoff-State: ready-for-review Handoff-Notes: Done — gate exemption + 3 bumps committed, build/tests green (312). Next: PR into dev, merge, close #12-#14, FF main. The release.yml action bumps are only exercised on a vX.Y.Z tag, not in PR CI; verify on the next release. Do not remove the dependabot[bot] `if:` guards unless reverting the owner-approved exemption.
ImPanick
added
ci
Up to standards ✅🟢 Issues
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dependabot[bot]from thePR body contract sectionsandCommit trailersjobs ingovernance-check.yml(they can't be satisfied by a bot). The PII/secret lint still runs on its PRs.Microsoft.Extensions.Logging.Console8.0.0→10.0.8, andrelease.ymlattest-build-provenance1→4 +action-gh-release2→3.Spec authorization
.agent/SCOPE_GUARDRAILS.md§2.11 (enforcement-stack change — owner-approved carve-out) and §1.6 (CI tooling)..github/dependabot.ymlgovernance note (version bumps of approved packages; license/provenance reviewed).Consultation
Agent
Agent: claude-code/2.1.149
Files touched
.github/workflows/governance-check.yml(job-levelifon pr-body-check + commit-trailer-check; header note).github/workflows/release.yml(attest-build-provenance@v4, action-gh-release@v3)src/IUUT.Cli/IUUT.Cli.csproj(Logging.Console 10.0.8)Test plan
dotnet restore -p:Configuration=Release+build -c Release --no-restore→ 0 warnings, 0 errorsdotnet test -c Release --no-build→ 312/312 passedrelease.ymlaction bumps are exercised only on avX.Y.Ztag, not in PR CI — to be confirmed at the next release.ifonly skips fordependabot[bot].Definition-of-Done checklist
agent/claude/deps-gate-exempt-and-bumpsAgent:,Consulted:,Co-Authored-By:trailersscripts/governance-lint.ps1passes (no PII)--no-verify/ unjustified overrideDrift declarations
This narrows the enforcement stack for
dependabot[bot]only (SCOPE_GUARDRAILS §2.11). It is an owner-approved policy carve-out, not a silent weakening: human and AI-agent PRs remain fully gated, and the PII/secret lint still runs on Dependabot PRs. Rationale: a configured bot mechanically cannot emit our PR template or commit trailers, so those two checks produced guaranteed false failures on every bump.Hand-off notes
dev, close chore(ci): Bump actions/attest-build-provenance from 1 to 4 #12–chore(deps): Bump the microsoft-extensions group with 2 updates #14, fast-forwardmain.dependabot[bot]if:guards; keepgovernance-lintrunning on all PRs (PII safety).Drift / Governance flags
experimentalrequires-human-approval(enforcement-stack change — approved by owner 2026-06-01)governance-amendmentcross-cuttingemergency