build(dev): update dependency tsdown to v0.21.4#332
Merged
marcusrbrown merged 1 commit intomainfrom Mar 21, 2026
Merged
Conversation
fro-bot
bot
added
dependencies
fro-bot
bot
force-pushed
the
renovate/tsdown-0.x
branch
3 times, most recently
from
57b4095 to
1a1ced6
Compare
fro-bot
bot
force-pushed
the
renovate/tsdown-0.x
branch
2 times, most recently
from
ad89015 to
968cb9d
Compare
fro-bot
bot
force-pushed
the
renovate/tsdown-0.x
branch
6 times, most recently
from
ee46d5e to
ee81032
Compare
fro-bot
bot
changed the title
fro-bot
bot
force-pushed
the
renovate/tsdown-0.x
branch
2 times, most recently
from
a2d6bb0 to
47c9bd4
Compare
fro-bot
bot
force-pushed
the
renovate/tsdown-0.x
branch
from
47c9bd4 to
16d9cc0
Compare
marcusrbrown
approved these changes
Mar 21, 2026
marcusrbrown
pushed a commit
that referenced
this pull request
Mar 22, 2026
* ci(deps): update bfra-me/.github to v4.13.1 (#330) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * fix(settings): remove users/teams from bypass_pull_request_allowances (#338) GitHub API rejects users and teams restrictions on user-owned repos (only org repos support them). Removing the empty arrays from all three branch protection blocks fixes the update-repo-settings error. * fix(settings): drop bypass_pull_request_allowances entirely (#343) The update-repository-settings action deep-merges config over the current GitHub state. Even with users/teams removed from YAML, the action reads them from the existing protection and sends them back. GitHub rejects users/teams on user-owned repos (bfra-me/.github#1837). Workaround: remove bypass_pull_request_allowances from all branches. Manage fro-bot app bypass via GitHub UI until upstream is fixed. * fix(settings): use literal branch name v0 instead of glob v? (#344) fix(settings): use literal branch name v0 instead of glob pattern v? The update-repository-settings action passes branch names directly to the GitHub API, which requires literal names. The glob pattern v? was treated as a literal branch name, causing a 'Branch not found' error. * build(deps): update dependency oh-my-openagent to v3.12.0 (#342) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * build(dev): update dependency tsdown to v0.21.3 (#332) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * ci(deps): update github/codeql-action action to v4.34.1 (#341) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * fix(settings): update action to v4.13.4 and restore bypass_pull_request_allowances (#345) bfra-me/.github#1837 was fixed in update-repository-settings@0.1.3 (shipped in v4.13.4). The action now strips users/teams from bypass_pull_request_allowances on user-owned repos before sending to the API. Restores bypass config: - main: apps: [] (no bypass — OpenSSF Scorecard compliance) - v0: apps: [fro-bot] (release workflow bypass) - release: apps: [fro-bot] (release workflow bypass) * chore(dev): update dependency lint-staged to v16.4.0 (#328) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * feat: add execution deduplication to prevent redundant agent runs (#347) * feat: add execution deduplication to prevent redundant agent runs Skip agent execution when it already ran for the same PR or issue within a configurable window (default 10 minutes). Uses @actions/cache sentinel files scoped per entity to track recent completions. New dedup phase runs between routing and acknowledge. Configurable via dedup-window action input (milliseconds, 0 = disabled). Fail-open design: cache miss or error always proceeds. Tolerates ±60s clock skew between runners. 1024 tests, 0 lint errors, 0 type errors. * fix: move dedup sentinel dir from /tmp to ~/.cache to satisfy CodeQL CodeQL flagged insecure temp file creation in /tmp (predictable path). Move sentinel base dir to os.homedir()/.cache/fro-bot-dedup/ which is deterministic across runs but not under the OS temp directory. * build(deps): update dependency oh-my-openagent to v3.12.3 (#346) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * ci(deps): update bfra-me/.github to v4.13.5 (#340) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> --------- Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com>
marcusrbrown
pushed a commit
that referenced
this pull request
Mar 22, 2026
* ci(deps): update bfra-me/.github to v4.13.1 (#330) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * fix(settings): remove users/teams from bypass_pull_request_allowances (#338) GitHub API rejects users and teams restrictions on user-owned repos (only org repos support them). Removing the empty arrays from all three branch protection blocks fixes the update-repo-settings error. * fix(settings): drop bypass_pull_request_allowances entirely (#343) The update-repository-settings action deep-merges config over the current GitHub state. Even with users/teams removed from YAML, the action reads them from the existing protection and sends them back. GitHub rejects users/teams on user-owned repos (bfra-me/.github#1837). Workaround: remove bypass_pull_request_allowances from all branches. Manage fro-bot app bypass via GitHub UI until upstream is fixed. * fix(settings): use literal branch name v0 instead of glob v? (#344) fix(settings): use literal branch name v0 instead of glob pattern v? The update-repository-settings action passes branch names directly to the GitHub API, which requires literal names. The glob pattern v? was treated as a literal branch name, causing a 'Branch not found' error. * build(deps): update dependency oh-my-openagent to v3.12.0 (#342) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * build(dev): update dependency tsdown to v0.21.3 (#332) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * ci(deps): update github/codeql-action action to v4.34.1 (#341) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * fix(settings): update action to v4.13.4 and restore bypass_pull_request_allowances (#345) bfra-me/.github#1837 was fixed in update-repository-settings@0.1.3 (shipped in v4.13.4). The action now strips users/teams from bypass_pull_request_allowances on user-owned repos before sending to the API. Restores bypass config: - main: apps: [] (no bypass — OpenSSF Scorecard compliance) - v0: apps: [fro-bot] (release workflow bypass) - release: apps: [fro-bot] (release workflow bypass) * chore(dev): update dependency lint-staged to v16.4.0 (#328) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * feat: add execution deduplication to prevent redundant agent runs (#347) * feat: add execution deduplication to prevent redundant agent runs Skip agent execution when it already ran for the same PR or issue within a configurable window (default 10 minutes). Uses @actions/cache sentinel files scoped per entity to track recent completions. New dedup phase runs between routing and acknowledge. Configurable via dedup-window action input (milliseconds, 0 = disabled). Fail-open design: cache miss or error always proceeds. Tolerates ±60s clock skew between runners. 1024 tests, 0 lint errors, 0 type errors. * fix: move dedup sentinel dir from /tmp to ~/.cache to satisfy CodeQL CodeQL flagged insecure temp file creation in /tmp (predictable path). Move sentinel base dir to os.homedir()/.cache/fro-bot-dedup/ which is deterministic across runs but not under the OS temp directory. * build(deps): update dependency oh-my-openagent to v3.12.3 (#346) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * ci(deps): update bfra-me/.github to v4.13.5 (#340) Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> * fix(settings): remove bypass_pull_request_allowances for user-owned repo (#349) The update-repo-settings workflow fails with: 'Only organization repositories can have users and team restrictions' This repo is user-owned (fro-bot), not organization-owned. The bypass_pull_request_allowances field is only valid for org repos. Reverts the settings restoration from #345 which broke the workflow. Closes: #348 (related to workflow fix) --------- Co-authored-by: fro-bot[bot] <109017866+fro-bot[bot]@users.noreply.github.com> Co-authored-by: Fro Bot <80104189+fro-bot@users.noreply.github.com>
This was referenced Mar 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.21.2→0.21.4Release Notes
rolldown/tsdown (tsdown)
v0.21.4Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
v0.21.3Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.