Add optional payload input to dependabot-worker reusable workflow

[mnkiefer]

Bug Fix

What was the bug?

The dependabot-worker reusable workflow's workflow_call.inputs did not declare a payload input, but callers (e.g. dependabot-campaign.lock.yml) pass payload when invoking it. GitHub rejects unknown inputs for reusable workflows, causing the workflow call to fail.

How did you fix it?

Added an optional payload string input to the workflow_call.inputs section of dependabot-worker.md, matching the pattern used by smoke-workflow-call.md. The compiled lock file (dependabot-worker.lock.yml) was regenerated to include the new input, and dependabot-campaign.lock.yml was updated to reflect the new input declaration on the worker.

Testing

• ✅ gh-aw compile succeeds with no errors
• ✅ dependabot-worker.lock.yml now includes the payload input under workflow_call.inputs
• ✅ dependabot-campaign.lock.yml updated to reflect the worker's new payload input

[github-actions]

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25733120246)

Generated by Smoke CI for issue #31679 · ◷

[github-actions]

Comment Memory

CI lights the path
Green checks bloom at dawn
Quiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #31679 · ◷

[Copilot]

Pull request overview

Adds a Dependabot “campaign + worker” setup to bundle workflow-manifest Dependabot PRs into a single remediation wave, with generated (locked) workflow manifests and updated Dependabot configuration.

Changes:

• Introduces a reusable dependabot-worker workflow (source .md + compiled .lock.yml) to apply source-of-truth dependency bumps and regenerate manifests.
• Introduces a scheduled dependabot-campaign orchestrator workflow (source .md + compiled .lock.yml) that discovers in-scope Dependabot PRs and calls the worker once.
• Updates .github/dependabot.yml to group workflow-manifest updates and limit concurrent PRs for those ecosystems.

Show a summary per file

File	Description
.github/workflows/dependabot-worker.md	Defines the reusable worker prompt/config and tool allowlist for bundling and fixing workflow-manifest Dependabot PRs.
.github/workflows/dependabot-worker.lock.yml	Compiled, pinned workflow manifest for dependabot-worker.
.github/workflows/dependabot-campaign.md	Defines the campaign orchestrator prompt/config and scoreboard computation logic.
.github/workflows/dependabot-campaign.lock.yml	Compiled, pinned workflow manifest for dependabot-campaign.
.github/dependabot.yml	Adds grouping/limits intended to reduce Dependabot PR noise for workflow manifests.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 3

[mnkiefer]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Merged origin/main into the branch. The only conflict was in .github/workflows/aw-portfolio-yield.lock.yml (modified by both branches), which was resolved by taking main's version since our branch's changes to that file were unintentional compilation side effects.