From 32b673dae63b19b0f193713bb2767c95454bc470 Mon Sep 17 00:00:00 2001 From: jrphilo Date: Fri, 1 May 2026 21:31:59 -0700 Subject: [PATCH] chore: fix Dependabot lockfile mismatch + Rule 1 GH-Actions exemption MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two related fixes: 1. dependabot.yml: move npm block from /happyhq back to /. The /happyhq block was producing PRs that updated happyhq/package.json without regenerating the root pnpm-lock.yaml, leaving every PR with red CI (ERR_PNPM_OUTDATED_LOCKFILE). With pnpm workspaces the lockfile lives at the repo root, so Dependabot has to monitor / to update both. The original duplication problem that caused PR #135 to drop / only happened because both blocks were active; with only / and the consolidated ignore list, no leak. 2. dependency-rules.md Rule 1: exempt dependabot/github_actions/* PRs from the protected-paths skip rule when the diff is limited to uses: line changes. Action version bumps are mechanical version pins, not authored CI edits — the whole reason we added the github-actions ecosystem to dependabot.yml was to merge them. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 2 +- happyhq/.dev/dependency-rules.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index da32536..0f54bf4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,7 +1,7 @@ version: 2 updates: - package-ecosystem: npm - directory: /happyhq + directory: / schedule: interval: weekly open-pull-requests-limit: 5 diff --git a/happyhq/.dev/dependency-rules.md b/happyhq/.dev/dependency-rules.md index caa7eac..156a49b 100644 --- a/happyhq/.dev/dependency-rules.md +++ b/happyhq/.dev/dependency-rules.md @@ -14,7 +14,7 @@ Apply in order — bail at the earliest stop. The first three are evaluable from | # | Condition | Label applied | What unblocks it | | --- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------- | ---------------------------------------------------- | -| 1 | PR diff would touch `happyhq/ee/`, `.github/`, CI workflows, `dependabot.yml`, or licensing files | `ralphie:skip-out-of-scope` | Maintainer scopes the change; remove label | +| 1 | PR diff would touch `happyhq/ee/`, `.github/`, CI workflows, `dependabot.yml`, or licensing files — **except** PRs from the `dependabot/github_actions/*` branch family where the diff is limited to `uses:` line changes in workflow files (those are mechanical version pins, not authored CI edits, and are eligible for Phase 2) | `ralphie:skip-out-of-scope` | Maintainer scopes the change; remove label | | 2 | CI on the PR is red and the failure is unrelated to the version bump (infra flake, lint config drift, network timeout, etc.) | `ralphie:skip-ci-red` | Investigate the CI failure; remove label | | 3 | Update is one of: framework major (`next`, `react`, `react-dom`); security-sensitive runtime major (auth, crypto, billing — e.g., `stripe` ≥2 majors at once, `instantdb`, JWT/OIDC libs); pre-1.0 → 1.0 jump on a runtime dep | `ralphie:skip-manual-upgrade` | Maintainer upgrades and reviews; remove label | | 4 | (Phase 2) Fixups would exceed 10 files or 300 lines net added (`*.md`/`*.mdx` and lockfile/package.json excluded from the count) | `ralphie:skip-too-big` | Scope it down or do it manually |