chore(ci): add dependabot for npm version bumps#752
Open
sarahxsanders wants to merge 5 commits into
Open
Conversation
Open weekly version-bump PRs for npm dependencies, gated by the existing Build/Lint/Test workflow. Keep @posthog/warlock ungrouped so a bump that adds a new rule category surfaces as its own PR, where the typed CATEGORY_DESCRIPTIONS build break forces matching copy before merge. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
🧙 Wizard CIRun the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands: Test all apps:
Test all apps in a directory:
Test an individual app:
Show more apps
Results will be posted here when complete. |
Actions are pinned by commit SHA for supply-chain safety, so they go stale silently. Add a github-actions ecosystem block (weekly, grouped) that bumps the SHA and updates the version comment. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Satisfies the semgrep dependabot-missing-cooldown rule: wait out a release before bumping so a yanked/compromised version is never picked. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Collaborator
Author
|
not sure if there's anything else we want to exclude here, especially with Anthropic SDKs being... what they are CC @gewenyu99 - but I think having this set up would be nice. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
.github/dependabot.ymlso npm dependencies get automatic weekly version-bump PRs, gated by the existing Build/Lint/Test workflow.Why
@posthog/warlockis currently pinned exactly (0.2.2) with no automation, so it never moves until someone hand-edits the version. We want it kept current.The warlock-specific bit
Routine deps are batched into one rolling grouped PR to keep noise low.
@posthog/warlockis deliberately excluded from the group so it lands as its own PR.Reason: a warlock bump can add a new rule category. Our user-facing security abort copy lives in a typed
Record<Category, string>insrc/lib/yara-hooks.ts, so a new category breakspnpm build. Isolating warlock means that build break shows up in its own PR (where it forces us to add the matching copy) instead of being buried in a batch of unrelated bumps.related: #751
Commit titles use a
chore(deps):prefix so they pass the conventional-commit check.