Skip to content

chore(ci): add dependabot for npm version bumps#752

Open
sarahxsanders wants to merge 5 commits into
mainfrom
dependabot-config
Open

chore(ci): add dependabot for npm version bumps#752
sarahxsanders wants to merge 5 commits into
mainfrom
dependabot-config

Conversation

@sarahxsanders

@sarahxsanders sarahxsanders commented Jun 28, 2026

Copy link
Copy Markdown
Collaborator

What

Adds .github/dependabot.yml so npm dependencies get automatic weekly version-bump PRs, gated by the existing Build/Lint/Test workflow.

Why

@posthog/warlock is currently pinned exactly (0.2.2) with no automation, so it never moves until someone hand-edits the version. We want it kept current.

The warlock-specific bit

Routine deps are batched into one rolling grouped PR to keep noise low. @posthog/warlock is deliberately excluded from the group so it lands as its own PR.

Reason: a warlock bump can add a new rule category. Our user-facing security abort copy lives in a typed Record<Category, string> in src/lib/yara-hooks.ts, so a new category breaks pnpm build. Isolating warlock means that build break shows up in its own PR (where it forces us to add the matching copy) instead of being buried in a batch of unrelated bumps.

related: #751

Commit titles use a chore(deps): prefix so they pass the conventional-commit check.

Open weekly version-bump PRs for npm dependencies, gated by the existing
Build/Lint/Test workflow. Keep @posthog/warlock ungrouped so a bump that
adds a new rule category surfaces as its own PR, where the typed
CATEGORY_DESCRIPTIONS build break forces matching copy before merge.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

🧙 Wizard CI

Run the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands:

Test all apps:

  • /wizard-ci all

Test all apps in a directory:

  • /wizard-ci basic-integration
  • /wizard-ci error-tracking-upload-source-maps
  • /wizard-ci mcp-analytics
  • /wizard-ci misc
  • /wizard-ci revenue

Test an individual app:

  • /wizard-ci basic-integration/android
  • /wizard-ci basic-integration/angular
  • /wizard-ci basic-integration/astro
Show more apps
  • /wizard-ci basic-integration/django
  • /wizard-ci basic-integration/fastapi
  • /wizard-ci basic-integration/flask
  • /wizard-ci basic-integration/javascript-node
  • /wizard-ci basic-integration/javascript-web
  • /wizard-ci basic-integration/laravel
  • /wizard-ci basic-integration/next-js
  • /wizard-ci basic-integration/nuxt
  • /wizard-ci basic-integration/python
  • /wizard-ci basic-integration/rails
  • /wizard-ci basic-integration/react-native
  • /wizard-ci basic-integration/react-router
  • /wizard-ci basic-integration/sveltekit
  • /wizard-ci basic-integration/swift
  • /wizard-ci basic-integration/tanstack-router
  • /wizard-ci basic-integration/tanstack-start
  • /wizard-ci basic-integration/vue
  • /wizard-ci error-tracking-upload-source-maps/android
  • /wizard-ci error-tracking-upload-source-maps/cicd-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-nested-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-github-actions-single-stage-docker-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-gitlab-node-raw
  • /wizard-ci error-tracking-upload-source-maps/cicd-monorepo-pnpm-node-react
  • /wizard-ci error-tracking-upload-source-maps/cicd-monorepo-raw-node-react
  • /wizard-ci error-tracking-upload-source-maps/cicd-ssh-vps-node-raw
  • /wizard-ci error-tracking-upload-source-maps/flutter
  • /wizard-ci error-tracking-upload-source-maps/ios
  • /wizard-ci error-tracking-upload-source-maps/next
  • /wizard-ci error-tracking-upload-source-maps/next-no-posthog
  • /wizard-ci error-tracking-upload-source-maps/node-raw
  • /wizard-ci error-tracking-upload-source-maps/node-rollup
  • /wizard-ci error-tracking-upload-source-maps/node-rollup-typescript-plugin
  • /wizard-ci error-tracking-upload-source-maps/node-webpack
  • /wizard-ci error-tracking-upload-source-maps/nuxt-3-6
  • /wizard-ci error-tracking-upload-source-maps/nuxt-4-3
  • /wizard-ci error-tracking-upload-source-maps/react-native
  • /wizard-ci error-tracking-upload-source-maps/react-vite
  • /wizard-ci error-tracking-upload-source-maps/rust
  • /wizard-ci mcp-analytics/custom-dispatcher
  • /wizard-ci mcp-analytics/typescript-sdk
  • /wizard-ci misc/quack-quack
  • /wizard-ci revenue/stripe

Results will be posted here when complete.

sarahxsanders and others added 3 commits June 28, 2026 11:21
Actions are pinned by commit SHA for supply-chain safety, so they go
stale silently. Add a github-actions ecosystem block (weekly, grouped)
that bumps the SHA and updates the version comment.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sarahxsanders sarahxsanders requested a review from a team June 28, 2026 15:36
Satisfies the semgrep dependabot-missing-cooldown rule: wait out a
release before bumping so a yanked/compromised version is never picked.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sarahxsanders sarahxsanders changed the title ci: add dependabot for npm version bumps chore(ci): add dependabot for npm version bumps Jun 28, 2026
@sarahxsanders

sarahxsanders commented Jun 28, 2026

Copy link
Copy Markdown
Collaborator Author

not sure if there's anything else we want to exclude here, especially with Anthropic SDKs being... what they are CC @gewenyu99 - but I think having this set up would be nice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant