ci(automation): stale sweep + path labeler + Dependabot auto-merge + APK size diff + issue templates#19
Open
ci(automation): stale sweep + path labeler + Dependabot auto-merge + APK size diff + issue templates#19
Conversation
Both issue YAMLs were truncated stubs that asked for "what happened" without enough structure to be triageable. Expand to include: bug_report.yml: - platform dropdown (iOS / Android / Web) - OS version + device (iPhone 16 Pro, Pixel 9, etc.) - shell-rendered logs/stack-trace block - screenshots/video drop-zone - pre-flight checkboxes (duplicate search, latest version) feature_request.yml: - problem statement (who feels the pain, when, how often) - proposed solution + alternatives considered - scope dropdown (small / medium / large) - tier dropdown (free / premium / either) - philosophy alignment checkbox No-blank-issues policy preserved via existing config.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds .github/workflows/stale.yml using actions/stale@v9. Issues: - Stale after 60d inactivity, closed 7d later. - Exempt labels: pinned, security, help wanted, good first issue, bug. Draft PRs only (only-pr-labels: draft): - Stale after 30d, closed 14d later. - Exempt labels: pinned, security, wip-keep-open. Ready-for-review PRs are NEVER swept — those belong in the review queue, not the stale bucket. Throttled to 60 ops/run so a backlog sweep doesn't blow the API budget. Cron 07:30 UTC (00:30 PT). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds .github/labeler.yml + workflow consuming actions/labeler@v5.
Labels resolve from path globs and re-sync on every PR open / sync /
reopen / ready_for_review:
- ci — .github/workflows/**, dependabot.yml, lefthook.yml
- dependencies — pubspec.{yaml,lock}, gradle, Podfile
- dart — lib/**, test/**, integration_test/**
- ios — ios/**
- android — android/**
- web — web/**
- design — lib/design/**, lib/widgets/**, assets/**, design specs
- tests — test/**, integration_test/**
- docs — *.md, docs/**, CHANGELOG*
- config — analysis_options.yaml, .gitignore, IDE config
- security — SECURITY.md, signing config, secret-scan/release workflows
sync-labels: true — re-runs replace stale labels rather than appending.
pull_request_target so forked-PR labelers still work.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds .github/workflows/dependabot-auto-merge.yml. Behavior: - Patch (semver-patch) — auto-approve + gh pr merge --auto --squash. Auto-merge waits for required status checks before landing, so the full ci.yml + secret-scan + commitlint suite still gates the merge. - Minor / major — workflow comments on the PR explaining why it's paused for manual review, no auto-merge. Restricted to actor==dependabot[bot] AND author==dependabot[bot] so a spoofed PR can't trip the workflow. Uses dependabot/fetch-metadata@v2 for the canonical update-type signal — no string parsing of titles. Branch protection on main MUST require: CI / Analyze + Format CI / Unit + Widget tests Commitlint Secret Scan / gitleaks otherwise auto-merge would land Dependabot PRs without verification. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds .github/workflows/size-diff.yml.
On every PR touching lib/**, android/**, pubspec.{yaml,lock}, or
assets/**, builds a release APK on both base and PR refs, computes
the delta, and posts a sticky comment via marocchino/sticky-pull-
request-comment.
- arm64 release build (not debug) — debug carries profiling symbols
and doesn't reflect what users download.
- Path filter excludes doc-only / CI-only PRs to save runner minutes.
- Sticky comment header: apk-size-diff — re-runs update in place
instead of appending new comments on every push.
- Soft warning at >512 KiB delta. No hard failure — sometimes a new
feature legitimately costs that.
Failure-tolerant on the base build (|| true) so a transient base
failure doesn't block the PR — comment falls back to "base build
failed — no delta".
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Outtsett
added a commit
that referenced
this pull request
May 5, 2026
PR #19 (ci/automation-pipeline) added 4 new workflows + 1 labeler config + 2 fleshed-out issue templates. Document the full GitHub Actions surface (8 workflows × what they do × triggers) and the current open-PR table so future sessions can pick up state without re-discovering the automation footprint. Includes the "branch protection action item" Tyler must do manually in repo settings (4 required status checks) before dependabot-auto- merge.yml is actually safe — the workflow only enables auto-merge, the protection rules enforce the gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR expands repository automation and contributor intake by adding new GitHub Actions workflows (stale sweeping, PR path labeling, Dependabot patch auto-merge, and APK size diff commenting) and upgrading GitHub Issue Forms for bug reports and feature requests.
Changes:
- Add a scheduled stale sweeper for issues and (intended) draft PRs.
- Add PR path-based auto-labeling and Dependabot patch-only auto-approval/auto-merge enabling.
- Add an Android release APK size diff workflow that posts a sticky PR comment; upgrade issue templates to more actionable forms.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/stale.yml | Adds daily/on-demand stale marking + auto-close automation for issues and PRs. |
| .github/workflows/labeler.yml | Adds a PR labeler workflow triggered on PR events via pull_request_target. |
| .github/labeler.yml | Defines path-to-label mappings used by the PR labeler workflow. |
| .github/workflows/dependabot-auto-merge.yml | Auto-approves and enables auto-merge for Dependabot patch updates; comments on minor/major. |
| .github/workflows/size-diff.yml | Builds base vs PR Android release APKs and posts a sticky size-delta comment. |
| .github/ISSUE_TEMPLATE/bug_report.yml | Expands the bug report form with platform/version/repro fields and pre-flight checks. |
| .github/ISSUE_TEMPLATE/feature_request.yml | Expands the feature request form to capture problem/proposal/scope/tier and pre-flight checks. |
Comment on lines
+42
to
+48
| # Pull requests — only sweep drafts. A PR ready for review | ||
| # belongs in the review queue, not the stale bucket. | ||
| days-before-pr-stale: 30 | ||
| days-before-pr-close: 14 | ||
| stale-pr-label: "stale" | ||
| only-pr-labels: "draft" | ||
| stale-pr-message: | |
Comment on lines
+65
to
+75
| - name: Build base APK | ||
| working-directory: base | ||
| run: | | ||
| flutter pub get | ||
| dart run build_runner build --delete-conflicting-outputs | ||
| flutter build apk --release --target-platform=android-arm64 || true | ||
| if [ -f build/app/outputs/flutter-apk/app-release.apk ]; then | ||
| cp build/app/outputs/flutter-apk/app-release.apk /tmp/base.apk | ||
| else | ||
| echo "BASE_BUILD_FAILED=true" >> "$GITHUB_ENV" | ||
| fi |
Comment on lines
+44
to
+50
| path: head | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Checkout base branch | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.base.ref }} |
Comment on lines
+8
to
+11
| # don't reflect what users download. The release build is unsigned | ||
| # (skipShrinkResources stays at default release config) so it doesn't | ||
| # need keystore secrets — Gradle handles missing key.properties by | ||
| # falling back to the debug signing config in our setup. |
Comment on lines
+13
to
+26
| on: | ||
| pull_request: | ||
| branches: [main] | ||
| paths: | ||
| - "lib/**" | ||
| - "android/**" | ||
| - "pubspec.yaml" | ||
| - "pubspec.lock" | ||
| - "assets/**" | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Five atomic commits expanding GitHub Actions automation beyond the
existing baseline (ci.yml + commitlint + secret-scan + dependabot.yml +
CODEOWNERS).
What was already in place (untouched here)
ci.yml— analyze + format + test + Android debug APK + iOS no-codesign + Web build (concurrency, Flutter pin)commitlint.yml— Conventional Commits validation on PR + pushsecret-scan.yml— gitleaks weekly + every push/PRdependabot.yml— pub + github-actions, grouped (flutter-core, hive-stack, iap, notifications)CODEOWNERS— Tyler on every path, signing config explicitpull_request_template.md+ISSUE_TEMPLATE/config.yml(no-blank-issues policy)SECURITY.mdTest plan
workflow_dispatch; confirm no false positives on the current backlogdart+designlabelsBranch protection action item
dependabot-auto-merge.ymlonly enables auto-merge — it does NOTbypass status checks. For this to be safe, branch protection on
mainmust require these checks (manual setup, can't be done via PR):
Without those, auto-merge would land patches without verification.
Validation
.github/parse cleanly under PyYAMLactionlint(rhysd/actionlint:latest in Docker) reports zero issues across all 8 workflowssize-diff.yml🤖 Generated with Claude Code