Skip to content

fix: work around Dependabot not supporting pnpm lockfileVersion 9.0#56

Merged
MidnightDesign merged 6 commits intomasterfrom
fix/dependabot-pnpm-lockfile
Apr 9, 2026
Merged

fix: work around Dependabot not supporting pnpm lockfileVersion 9.0#56
MidnightDesign merged 6 commits intomasterfrom
fix/dependabot-pnpm-lockfile

Conversation

@MidnightDesign
Copy link
Copy Markdown
Collaborator

@MidnightDesign MidnightDesign commented Apr 7, 2026
edited
Loading

Summary

  • Add a workflow that regenerates pnpm-lock.yaml on Dependabot PRs, working around dependabot/dependabot-core#13920 (Dependabot can't parse lockfileVersion 9.0)
  • Add a weekly scheduled check that creates a reminder issue (assigned to @MidnightDesign) once the upstream bug is resolved, so we don't forget to remove the workaround

Affected PRs

The following Dependabot PRs are currently failing because of this issue:

Test plan

  • Verify the lockfile workflow triggers on the next Dependabot PR and commits an updated pnpm-lock.yaml
  • Verify CI passes after the lockfile is regenerated

🤖 Generated with Claude Code

@MidnightDesign @claude
fix: work around Dependabot not supporting pnpm lockfileVersion 9.0
47bf131 
Dependabot can't parse pnpm-lock.yaml with lockfileVersion 9.0
(dependabot/dependabot-core#13920), so it updates package.json but
not the lockfile, causing CI to fail on --frozen-lockfile.

Add a workflow that regenerates pnpm-lock.yaml on Dependabot PRs,
and a weekly check that creates a reminder issue once the upstream
bug is resolved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds GitHub Actions workflows to work around Dependabot’s inability to parse pnpm-lock.yaml with lockfileVersion: 9.0, by regenerating and committing the lockfile on Dependabot PRs and creating a weekly reminder issue once the upstream bug is resolved.

Changes:

  • Add a Dependabot-only PR workflow that runs pnpm install to regenerate pnpm-lock.yaml and pushes the update back to the PR branch.
  • Add a scheduled workflow that checks dependabot/dependabot-core#13920 weekly and opens a reminder issue (assigned to MidnightDesign) when the upstream issue closes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/dependabot-lockfile.yml Regenerates and commits pnpm-lock.yaml on Dependabot PRs.
.github/workflows/check-dependabot-fix.yml Weekly check that opens a reminder issue when the upstream Dependabot bug is resolved.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MidnightDesign @claude
fix: address review feedback on Dependabot workaround workflows
6683688 
- Add `issues: write` permission to the check workflow so `gh issue create` works on scheduled runs
- Filter duplicate check to open issues only (`--state open`)
- Use `pnpm install --lockfile-only` to avoid executing dependency lifecycle scripts

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MidnightDesign MidnightDesign requested a review from Copilot April 7, 2026 07:22
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MidnightDesign @claude
fix: use PR author check and fix issue body indentation
c4aebac 
- Check `github.event.pull_request.user.login` instead of `github.actor`
  so the workflow runs reliably even if a maintainer pushes to the branch
- Use printf to build the issue body without leading whitespace

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MidnightDesign MidnightDesign requested a review from Copilot April 7, 2026 07:30
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MidnightDesign @claude
fix: use unauthenticated request for cross-repo issue check
57034db 
Unset GH_TOKEN when querying the upstream dependabot-core issue
so it uses an unauthenticated public API request instead of the
repo-scoped GITHUB_TOKEN.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MidnightDesign MidnightDesign requested a review from Copilot April 7, 2026 07:39
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MidnightDesign @claude
fix: use explicit push target and skip push when no changes
229b77e 
Push to `origin HEAD:<head_ref>` explicitly instead of relying on
upstream tracking, and only push when a commit was actually created.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MidnightDesign MidnightDesign requested a review from Copilot April 7, 2026 07:45
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MidnightDesign @claude
fix: add strict mode to upstream issue check script
169cf94 
Prevent false reminder issues when the upstream API call fails
by adding `set -euo pipefail`.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@MidnightDesign MidnightDesign requested a review from Copilot April 7, 2026 08:11
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@MidnightDesign MidnightDesign merged commit a3b5990 into master Apr 9, 2026
6 checks passed
@MidnightDesign MidnightDesign deleted the fix/dependabot-pnpm-lockfile branch April 9, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rieschl rieschl rieschl approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MidnightDesign @rieschl