From 82280fc1291d4df3a7a106e92ad76e68ad8c2a71 Mon Sep 17 00:00:00 2001 From: sarahxsanders Date: Sun, 28 Jun 2026 11:18:58 -0400 Subject: [PATCH 1/5] ci: add dependabot for npm version bumps Open weekly version-bump PRs for npm dependencies, gated by the existing Build/Lint/Test workflow. Keep @posthog/warlock ungrouped so a bump that adds a new rule category surfaces as its own PR, where the typed CATEGORY_DESCRIPTIONS build break forces matching copy before merge. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..effe5530 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,29 @@ +# Dependabot keeps dependencies current by opening version-bump PRs. +# Every PR runs the Build / Lint / Test workflow (.github/workflows/build.yml), +# which is the gate that must pass before a human merges. +# +# Why @posthog/warlock is pulled out of the group: a warlock bump can add a new +# rule category. The user-facing abort copy lives in a typed +# `Record` (src/lib/yara-hooks.ts), so a new category breaks +# `pnpm build` until the matching copy is added. Keeping warlock ungrouped means +# that signal lands in its own PR instead of being hidden inside a batch of +# unrelated bumps. +version: 2 +updates: + - package-ecosystem: 'npm' # also covers the pnpm workspace + directory: '/' + schedule: + interval: 'weekly' + open-pull-requests-limit: 10 + # Conventional-commit prefix so titles pass pr-conventional-commit.yml. + commit-message: + prefix: 'chore' + include: 'scope' + groups: + # Batch routine updates into a single rolling PR to keep noise low. + # Everything EXCEPT warlock, which we want isolated (see header). + npm-dependencies: + patterns: + - '*' + exclude-patterns: + - '@posthog/warlock' From 628709d987ef189791818b7a68d94f1d49ad4d92 Mon Sep 17 00:00:00 2001 From: sarahxsanders Date: Sun, 28 Jun 2026 11:21:29 -0400 Subject: [PATCH 2/5] ci: also bump pinned github-actions SHAs via dependabot Actions are pinned by commit SHA for supply-chain safety, so they go stale silently. Add a github-actions ecosystem block (weekly, grouped) that bumps the SHA and updates the version comment. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index effe5530..10c27a04 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -27,3 +27,20 @@ updates: - '*' exclude-patterns: - '@posthog/warlock' + + # GitHub Actions are pinned by commit SHA (e.g. actions/checkout@), which + # is the secure choice but means the pins go stale and miss upstream security + # patches. Dependabot bumps the SHA and updates the trailing version comment. + - package-ecosystem: 'github-actions' + directory: '/' # scans .github/workflows + schedule: + interval: 'weekly' + open-pull-requests-limit: 5 + commit-message: + prefix: 'ci' + include: 'scope' + groups: + # One rolling PR for all action bumps. + github-actions: + patterns: + - '*' From 52be683e0252116f891f26f2bac842e5abbd96cf Mon Sep 17 00:00:00 2001 From: sarahxsanders Date: Sun, 28 Jun 2026 11:23:56 -0400 Subject: [PATCH 3/5] ci: trim dependabot config comments Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 10c27a04..fcb81ea9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,38 +1,26 @@ -# Dependabot keeps dependencies current by opening version-bump PRs. -# Every PR runs the Build / Lint / Test workflow (.github/workflows/build.yml), -# which is the gate that must pass before a human merges. -# -# Why @posthog/warlock is pulled out of the group: a warlock bump can add a new -# rule category. The user-facing abort copy lives in a typed -# `Record` (src/lib/yara-hooks.ts), so a new category breaks -# `pnpm build` until the matching copy is added. Keeping warlock ungrouped means -# that signal lands in its own PR instead of being hidden inside a batch of -# unrelated bumps. +# Weekly version-bump PRs, gated by build.yml before merge. version: 2 updates: - - package-ecosystem: 'npm' # also covers the pnpm workspace + - package-ecosystem: 'npm' # covers the pnpm workspace directory: '/' schedule: interval: 'weekly' open-pull-requests-limit: 10 - # Conventional-commit prefix so titles pass pr-conventional-commit.yml. - commit-message: + commit-message: # prefix keeps titles conventional-commit valid prefix: 'chore' include: 'scope' groups: - # Batch routine updates into a single rolling PR to keep noise low. - # Everything EXCEPT warlock, which we want isolated (see header). + # Batch routine bumps; isolate warlock so a new rule category (which + # breaks the typed copy map in src/lib/yara-hooks.ts) lands in its own PR. npm-dependencies: patterns: - '*' exclude-patterns: - '@posthog/warlock' - # GitHub Actions are pinned by commit SHA (e.g. actions/checkout@), which - # is the secure choice but means the pins go stale and miss upstream security - # patches. Dependabot bumps the SHA and updates the trailing version comment. + # Actions are SHA-pinned; bump the SHA and its version comment. - package-ecosystem: 'github-actions' - directory: '/' # scans .github/workflows + directory: '/' schedule: interval: 'weekly' open-pull-requests-limit: 5 @@ -40,7 +28,6 @@ updates: prefix: 'ci' include: 'scope' groups: - # One rolling PR for all action bumps. github-actions: patterns: - '*' From 16f0ba0fe9ba503dc1dd13441fb59fb1b6a9490a Mon Sep 17 00:00:00 2001 From: sarahxsanders Date: Sun, 28 Jun 2026 11:31:20 -0400 Subject: [PATCH 4/5] ci: move warlock-exclusion comment to the exclude line Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fcb81ea9..71d26ea3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,11 +10,11 @@ updates: prefix: 'chore' include: 'scope' groups: - # Batch routine bumps; isolate warlock so a new rule category (which - # breaks the typed copy map in src/lib/yara-hooks.ts) lands in its own PR. - npm-dependencies: + npm-dependencies: # batch routine bumps into one PR patterns: - '*' + # Isolate warlock: a new rule category breaks the typed copy map + # (src/lib/yara-hooks.ts), so its bump needs its own PR. exclude-patterns: - '@posthog/warlock' From df95dc08435b8d42712c604545757310df7185d5 Mon Sep 17 00:00:00 2001 From: sarahxsanders Date: Sun, 28 Jun 2026 11:41:18 -0400 Subject: [PATCH 5/5] ci: add 7-day dependabot cooldown (supply-chain policy) Satisfies the semgrep dependabot-missing-cooldown rule: wait out a release before bumping so a yanked/compromised version is never picked. Co-Authored-By: Claude Opus 4.8 --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 71d26ea3..9b8cfc80 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,6 +6,8 @@ updates: schedule: interval: 'weekly' open-pull-requests-limit: 10 + cooldown: # wait out a release before bumping (supply-chain safety) + default-days: 7 commit-message: # prefix keeps titles conventional-commit valid prefix: 'chore' include: 'scope' @@ -24,6 +26,8 @@ updates: schedule: interval: 'weekly' open-pull-requests-limit: 5 + cooldown: + default-days: 7 commit-message: prefix: 'ci' include: 'scope'