chore: fix Dependabot lockfile mismatch + Rule 1 GH-Actions exemption#153
Merged
Conversation
Two related fixes: 1. dependabot.yml: move npm block from /happyhq back to /. The /happyhq block was producing PRs that updated happyhq/package.json without regenerating the root pnpm-lock.yaml, leaving every PR with red CI (ERR_PNPM_OUTDATED_LOCKFILE). With pnpm workspaces the lockfile lives at the repo root, so Dependabot has to monitor / to update both. The original duplication problem that caused PR #135 to drop / only happened because both blocks were active; with only / and the consolidated ignore list, no leak. 2. dependency-rules.md Rule 1: exempt dependabot/github_actions/* PRs from the protected-paths skip rule when the diff is limited to uses: line changes. Action version bumps are mechanical version pins, not authored CI edits — the whole reason we added the github-actions ecosystem to dependabot.yml was to merge them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Surfaced during the deps-loop dry-run triage. Two related fixes.
1. Dependabot lockfile mismatch (the urgent one)
Every npm Dependabot PR opened against
/happyhqis currently broken — CI fails with `ERR_PNPM_OUTDATED_LOCKFILE` because Dependabot updates `happyhq/package.json` but doesn't regenerate the root `pnpm-lock.yaml`. The lockfile sits at the repo root (pnpm workspaces) and is outside the configured `directory: /happyhq` scope.This makes Dependabot effectively non-functional for the npm ecosystem — neither Ralphie nor a human can merge any of these PRs without manual lockfile fixup.
Fix: move the npm block back to `directory: /`. The reason we dropped `/` in #135 was duplicate PRs — but that only happened because both `/` and `/happyhq` blocks were active. With only `/` plus the consolidated ignore list, there's no duplication and no leak (the ignore list applies to all workspace deps).
Confirmed by inspection: PR #129 (from the old `/` block) correctly touches `pnpm-lock.yaml`; PR #126 (from the `/happyhq` block) only touches `happyhq/package.json` and fails CI for that reason.
2. Rule 1 over-fires on GH-Actions Dependabot PRs
The deps-loop's triage rules treat any PR touching `.github/` as out-of-scope. That correctly blocks the agent from authoring CI changes, but it also catches `actions/checkout 5→6`-style PRs — which are mechanical version-pin updates to `uses:` lines, not authored CI edits. The whole reason we added the `github-actions` ecosystem to `dependabot.yml` was to merge those.
Fix: exempt `dependabot/github_actions/*` PRs from Rule 1 when the diff is limited to `uses:` line changes. The "uses-only" guard is the safety net — the agent verifies the diff is just version pins before trusting the exemption.
Cleanup of broken PRs
The 5 currently-red Dependabot PRs (#126, #127, #129, #133, #136) will be closed separately so they don't pollute the queue once this lands. Dependabot's next run from the new `/` config will produce correctly-locked replacements.
Test plan
🤖 Generated with Claude Code