[Issue #612] Dependabot and catalog dependency update automation#647
[Issue #612] Dependabot and catalog dependency update automation#647bryan-thompsoncodes wants to merge 18 commits intomainfrom
Conversation
|
@bryan-thompsoncodes Building on the stack diff conversation yesterday, would it be possible to stack this on a smaller PR that simply creates a new placeholder GitHub action, so that way we can test test the full workflow, including the action, on the branch? |
bryan-thompsoncodes
force-pushed
the
612-dependabot-and-catalog-update-automation
branch
from
436eef6 to
6998232
Compare
github-actions
bot
added
cli
bryan-thompsoncodes
changed the base branch from
main
to
612-ci-workspace-scripts
|
Really appreciate the feedback, @widal001 both suggestions made this a lot cleaner. Added per-package ci scripts and root-level ci:core, ci:cli, ci:sdk, ci:changelog-emitter, ci:website shortcuts plus an aggregate ci that runs them all in dependency order. Also split into a stacked PR per your suggestion: #658 is the base with the ci scripts + workflow, this PR is rebased on top. We'll want to review and merge #658 first, then this one. |
bryan-thompsoncodes
force-pushed
the
612-dependabot-and-catalog-update-automation
branch
3 times, most recently
from
74e6e0a to
9bf65e3
Compare
bryan-thompsoncodes
changed the title
…ies label - Create .github/dependabot.yml with 8 ecosystem entries across 3 worlds (root workspace, isolated templates/examples, GitHub Actions) - Root workspace ignores catalog-managed deps to avoid dependabot-core bugs - Add lib/changelog-emitter to .changeset/config.json packages array - Add dependencies label to .github/labeler.yml for auto-labeling dep PRs Ref: #612
- Create .github/scripts/update-catalog-deps.sh for updating pnpm catalog deps with --dry-run support (avoids dependabot-core catalog bugs) - Create deps-catalog-check.yml scheduled workflow (weekly Monday 7am PT) that opens PRs via peter-evans/create-pull-request when catalog deps are stale - Create ci-catalog-validation.yml that validates all workspace packages when pnpm-workspace.yaml changes (catches peerDep breakage) Ref: #612
Document the split strategy (Dependabot + catalog workflow), changeset expectations, three-place sync for catalog deps, troubleshooting, and known upstream issues. Ref: #612
- Fix bug: add explicit pnpm update for website catalog vitest (^4.x) - Fix fragile string parsing: use pnpm outdated exit code instead of grep for 'All packages are up to date' - Add self-trigger: ci-catalog-validation.yml now triggers on its own file changes (matches existing CI patterns) - Document major version bump behavior in DEPENDENCY_MANAGEMENT.md Ref: #612
The ci-catalog-validation workflow now handles lockfile changes by running all package checks. Removing the duplicate trigger from individual workflows prevents running each package's CI twice.
bryan-thompsoncodes
force-pushed
the
612-dependabot-and-catalog-update-automation
branch
from
dfd981f to
53c97b2
Compare
bryan-thompsoncodes
changed the title
| # IMPORTANT: Must match the `catalog:` section in pnpm-workspace.yaml. | ||
| # The validation below will fail if they drift apart. | ||
| DEFAULT_CATALOG_DEPS=( | ||
| "@types/node" |
There was a problem hiding this comment.
Is there a way to refactor this script so that when we add a dependency we don't have to remember to update this script as well?
There was a problem hiding this comment.
Done ✅ the script now parses catalog deps directly from pnpm-workspace.yaml instead of maintaining a hardcoded list. I also added a CI check in ci-catalog-validation.yml that validates every catalog dep has a matching Dependabot ignore entry, so if someone adds a dep to the catalog but forgets dependabot.yml, the PR fails.
| - [ ] CI passes (catalog validation runs all workspace package checks) | ||
| - [ ] If TypeSpec packages updated: verify `pnpm run typespec` output is sensible | ||
| - [ ] If this is a **major** version bump: review changelog of updated packages | ||
| - [ ] Add changeset if peerDep ranges changed for `@common-grants/core` or `typespec-versioning-changelog` |
There was a problem hiding this comment.
Should we add a checklist item for general validation? Like if it's the website be sure to validate the pages or ensure that the SDKs work as expected
There was a problem hiding this comment.
Good call, I added two items: "If website deps updated: spot-check key pages render correctly" and "If SDK-affecting deps updated: verify SDK examples still work."
.github/dependabot.yml
Outdated
| - package-ecosystem: "npm" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" |
There was a problem hiding this comment.
Should we perhaps run this daily? Or instead have a way to manually kick off this flow in the case that we have an urgent update that needs resolved?
There was a problem hiding this comment.
Yes to both, I'll adjust to daily and add the manual trigger
There was a problem hiding this comment.
Changed to daily. The catalog workflow deps-catalog-check.yml already supports workflow_dispatch for manual runs from the Actions tab.
|
Left a few questions/comments. Overall it looks really good! |
|
🚀 Website Preview Deployed! Preview your changes at: https://cg-pr-647.billy-daly.workers.dev This preview will be automatically deleted when the PR is closed. |
|
Thank you for the review @jcrichlake I implemented some adjustments to incorporate your feedback |
3 participants
Summary
Changes proposed
Implements a split dependency update strategy (builds on the
ciscripts andci-catalog-validation.ymlworkflow from #658):.github/dependabot.ymlwith 8 ecosystem entries, grouped updates, and staggered schedules. Root workspace runs daily; templates and Actions run weekly/monthly.@typespec/*,vitest,@types/node) viadeps-catalog-check.yml— runs weekly, opens PRs viapeter-evans/create-pull-request. The update script parses catalog deps directly frompnpm-workspace.yaml(no hardcoded list to maintain).Also adds:
lib/changelog-emitterto.changeset/config.json(was missing from changeset tracking)dependencieslabel to.github/labeler.ymlfor auto-labeling dependency PRsDEPENDENCY_MANAGEMENT.mddocumenting the full strategyContext for reviewers
Why two systems? Dependabot has 5 open bugs with pnpm workspace catalogs that corrupt the lockfile. Since all 15 CI workflows use
--frozen-lockfile, any catalog corruption fails CI. The scheduled workflow avoids this by runningpnpm update+pnpm installdirectly, producing a clean lockfile.Why no auto-changeset?
GITHUB_TOKENcannot push to Dependabot branches (read-only since Dec 2021). Since onlylib/cliandlib/ts-sdkhave production deps that would need changesets, and those change infrequently, manual changeset creation on those rare PRs is simpler than a PAT or two-workflow workaround.Testing: The catalog update script was tested locally (
--dry-runmode). Workflow YAML can only be validated post-merge by triggeringdeps-catalog-checkviaworkflow_dispatchand watching for initial Dependabot PRs.Post-merge validation plan:
deps-catalog-checkmanually via Actions tabci-catalog-validationtriggers whenpnpm-workspace.yamlchangesAdditional information
See
DEPENDENCY_MANAGEMENT.mdfor the full strategy docs. When adding a new catalog dep, only two places need updating:pnpm-workspace.yamland the Dependabot ignore list. The update script reads from the YAML directly.When dependabot-core fixes the catalog bugs, the scheduled workflow can be removed and all deps moved back to Dependabot. The split is a workaround, not a permanent design.