mesh-2815: automate dependabot#17
Conversation
Also: - Pinned all actions to SHAs and included full version comment - Migrated to use correct Sonar Github action
There was a problem hiding this comment.
Pull request overview
Automates Dependabot handling for this Flutter app: adds Dependabot config (pub + github-actions), an auto-merge workflow, Slack notification on failed Dependabot PR checks, and pins existing workflow actions to commit SHAs. Also migrates Sonar from SonarCloud to SonarQube scan action with coverage upload, updates the widget tests to the modern tester.view API, refreshes pubspec.lock to current pub.dev hashes/versions, ignores the coverage/ directory, and removes the now-ignored coverage/lcov.info.
Changes:
- Adds Dependabot config, auto-merge workflow, and Slack notification for Dependabot PR failures.
- Pins all GitHub Actions in
release.yml/pull-request.ymlto commit SHAs and switches tosonarqube-scan-actionwithflutter test --coverage. - Modernises widget tests (
tester.view+addTearDown), refreshespubspec.lock, ignorescoverage/, and deletes the committedlcov.info.
Reviewed changes
Copilot reviewed 8 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/dependabot.yml | New Dependabot config for pub and github-actions, grouped daily with cooldown. |
| .github/workflows/dependabot-auto-merge.yaml | New workflow to auto-approve and enable auto-merge on Dependabot PRs via a GitHub App token. |
| .github/workflows/pull-request.yml | Pins actions to SHAs, switches to SonarQube scan, runs tests with coverage, and adds Slack notification on Dependabot failures. |
| .github/workflows/release.yml | Pins actions to SHAs and adds a sonar-scan job running coverage + SonarQube scan. |
| .github/workflows/scheduled-combine-dependabot-prs.yaml | Pins github/combine-prs to SHA (v5.2.0). |
| .gitallowed | Allows GITHUB_TOKEN reference in the new Dependabot auto-merge workflow. |
| .gitignore | Ignores the coverage/ directory. |
| coverage/lcov.info | Removes the previously-committed coverage report. |
| sonar-project.properties | Removes projectVersion, adds sources, tests, test.inclusions, and dart.lcov.reportPaths. |
| pubspec.lock | Updates package versions/URLs to pub.dev and adds sha256 hashes; bumps SDK constraints. |
| test/widget_test.dart | Replaces deprecated setSurfaceSize/window.physicalSizeTestValue with tester.view + addTearDown resets. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
No description provided.