docs(routine): add weekly Dependabot triage prompt#136
Merged
Conversation
Owner
Author
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: feafb8f7a5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| Detect dependency type from the diff against `package.json`: | ||
|
|
||
| ```bash | ||
| gh pr diff "<pr-number>" -- package.json examples/nurture-pet/package.json |
There was a problem hiding this comment.
The triage prompt asks the routine to run gh pr diff "<pr-number>" -- package.json examples/nurture-pet/package.json, but gh pr diff only supports a single optional PR argument plus flags (it does not accept git-style pathspecs after --; file filtering is via --exclude). In practice this command will error on argument parsing, so the dependency-type classification step can fail before any auto-merge/approval decision is made, blocking or derailing the weekly triage run.
Useful? React with 👍 / 👎.
Codex P1 on #136: `gh pr diff "<pr>" -- package.json …` is not supported — `gh pr diff` only takes `--exclude` glob filters, not git-style pathspecs. The triage prompt's classification step would have errored on argument parsing on every run, blocking the weekly drain. Switch to the REST `pulls/<num>/files` endpoint with a `jq` filter on filenames ending in `package.json`. Each file entry carries a `.patch` field (unified diff GitHub stores) — the routine inspects the +/- lines under the `dependencies` / `devDependencies` / `peerDependencies` keys to classify the bumped package. Refs codex finding on PR #136 PROMPT.md:55.
Owner
Author
|
@codex review Fixed P1 on PROMPT.md:55 — replaced the unsupported |
|
Codex Review: Didn't find any major issues. Nice work! ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
This was referenced Apr 26, 2026
Luis85
added a commit
that referenced
this pull request
Apr 26, 2026
…h sweep (#138) Tracks: #131 ## What changed The dep-triage-bot prompt landed in #136 with a rolling-tracker pattern (`Dependency triage — develop`, append-comment-per-run, `Last triaged SHAs` mapping in the body). The daily code-review bot has since refactored to issue-per-run (#135) — this PR brings dep-triage-bot in line, and promotes the convention to the umbrella so every future cloud routine inherits it. ### Convention applied - **Dedicated GitHub label per routine.** No shared `automation` umbrella label. - **Issue per run.** Body holds the run's full punch list. Owner closes manually once everything in the body is resolved. - **Quiet runs leave no trace.** No-op runs do NOT open an issue. - **Per-object state on the artifact, not on a shared tracker.** For dep-triage that means an HTML comment marker `<!-- dep-triaged:<head-sha7>:<action> -->` on the Dependabot PR itself, read at the start of the next run for skip detection. ### Files - `docs/dep-triage-bot/PROMPT.md` — replaced rolling-tracker output, idempotency, and process-gate sections with issue-per-run + per-PR-comment-marker. Hard-rules + dry-run + failure-handling sections updated to match. - `docs/dep-triage-bot/README.md` — output sink description, setup checklist, tradeoffs, and a new "Bot label convention" table mapping each routine to its label. - `docs/plans/2026-04-26-quality-automation-routines.md` (umbrella) — added a new "Cloud-routine output convention" subsection under "Downstream PR contract" so rows 3+ inherit the rule. Updated row 3 + row 4 chunk plans inline so their PRs follow it: no-op leaves no trace, only failures open a labelled per-run issue. - `docs/plans/2026-04-26-quality-actions-bump-bot.md` — output / failure-handling sections rewritten to the new convention. - `docs/plans/2026-04-26-quality-plan-recon-bot.md` — same. ### Demo-path sweep (Wave 0 of #129 / merged as #134) The Wave-0 rename of `examples/nurture-pet/` → `examples/product-demo/` merged on 2026-04-26 (commit `c734d6a`). This PR sweeps the lingering `examples/nurture-pet/` references in the active quality plans + the dep-triage-bot prompt so the chunk plans + cloud routine all point at the post-rename path: - `docs/dep-triage-bot/PROMPT.md` — three references swapped; the now-stale Wave-0 sequencing conditional dropped. - `docs/plans/2026-04-26-quality-automation-routines.md` — "Coordination with PR #129" section condensed to a `RESOLVED` stub linking to #134; risk-register row updated. - `docs/plans/2026-04-26-quality-dep-triage-bot.md` — example-shape comment swapped. - `docs/plans/2026-04-26-quality-demo-smoke.md` — every path swapped; the "Step 0: Decide demo path" pre-flight + the "Rename-coordination follow-up" footer collapsed to a one-paragraph `RESOLVED` stub. Other lingering `nurture-pet` references live in archived plans, code JSDoc, and one test file — those are out of scope for this PR (separate cleanup-sweep follow-up if the owner wants the codebase fully aligned). ### Labels created in repo ``` gh label create dep-triage-bot --color FBCA04 --description "Per-run findings from the weekly dep-triage cloud routine" gh label create actions-bump-bot --color D93F0B --description "Failure issues from the weekly actions-bump cloud routine" gh label create plan-recon-bot --color 1D76DB --description "Failure issues from the monthly plan-recon cloud routine" ``` `review-bot` and `docs-review` were already in place. ## Verification - `npm run verify` — green locally. - Doc-only diff (no `src/**`, no changeset). - No `dep-triage-bot` issues exist yet, so there is no rolling-tracker issue to retire — this lands the convention for the routine's first real run. --------- Co-authored-by: Luis Mendez <hallo@luis-mendez.de>
Luis85
added
the
roadmap:quality-baseline
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Tracks: #130
Tracks: #131
Adds the weekly Dependabot triage cloud-routine prompt + README scaffold under
docs/dep-triage-bot/. Mirrors the existingdocs/review-bot/anddocs/docs-review-bot/shape (system prompt + README + rolling tracker issue, idempotency via canonical SHA list in issue body).What's in the diff
docs/dep-triage-bot/PROMPT.md— system prompt: role, scope, triage policy table (dev-deps minor/patch auto-merge; runtime minor/patch approval-comment; majors + peer-deps owner-only), hard rules, output format (rolling tracker + per-PR table), idempotency, dry-run guard, failure handling.docs/dep-triage-bot/README.md— routine setup, sinks, iteration workflow, known tradeoffs..github/dependabot.yml— addednpm-non-majorgroup block to BOTH npm ecosystem entries (root +examples/nurture-pet) so minor + patch updates land as one weekly bundled PR per ecosystem instead of N. Replaced the priordev-dependenciesgroup on the root entry — the new group covers both runtime + dev minors/patches under the same bundling policy. Major bumps remain ungrouped (one PR per major, owner-reviewed). GitHub Actions ecosystem grouping (actions:) is unchanged.docs/plans/2026-04-26-quality-automation-routines.md— ticked row 2 (this row) to- [x] shippedper the umbrella's tick rule.Out-of-repo follow-up (does NOT gate merge)
Once this PR lands, the owner needs to:
Dependency triage — developwith labeldep-triage-botand the seed body documented indocs/dep-triage-bot/README.mdsetup checklist.0 8 * * 1(Monday 08:00 UTC, one hour after Dependabot fires) using the wrapper prompt in the README.Settings → General → Pull Requests → Allow auto-merge) so the dev-deps minor/patch path can actuallygh pr merge --auto --squash.All three are spelled out in the README's Setup checklist.
Verification
npm run verify— green locally on this branch..github/dependabot.yml); nosrc/**, no changeset.Ticks row 2 of the umbrella tracker.