chore(ci): dependabot auto-merge + slimmed CI gates#211
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR introduces automated merging for low-risk Dependabot updates and attempts to reduce CI friction by skipping server/client quality gates when changes don’t affect those areas.
Changes:
- Add a
pull_request_targetworkflow to auto-approve and enable auto-merge for Dependabot patch/minor PRs, while flagging majors for manual review. - Update Dependabot configuration to group npm updates into production vs development dependency batches, and group GitHub Actions patch/minor updates.
- Add path-based filtering to CI to avoid running server/client quality gates for unrelated changes.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.github/workflows/dependabot-auto-merge.yml |
Adds privileged Dependabot auto-approval + auto-merge workflow. |
.github/workflows/ci.yml |
Adds workflow-level paths filter and step-level filtering to skip server/client checks when unaffected. |
.github/dependabot.yml |
Expands grouping strategy for npm and GitHub Actions updates; documents auto-merge policy. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Paths-filter before checkout breaks push-to-main CI
- Added unconditional actions/checkout before dorny/paths-filter in server-quality and client-quality so push events have a local git repo for git diff.
Or push these changes by commenting:
@cursor push 206b53a0e2
Preview (206b53a0e2)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,6 +46,9 @@
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
+ # paths-filter uses git diff on push events; repository must be checked out first.
+ - uses: actions/checkout@v6
+
- name: Detect server-affecting changes
id: filter
uses: dorny/paths-filter@v3
@@ -59,9 +62,6 @@
- '.github/workflows/ci.yml'
- if: steps.filter.outputs.server == 'true' || github.event_name == 'push'
- uses: actions/checkout@v6
-
- - if: steps.filter.outputs.server == 'true' || github.event_name == 'push'
name: Use Node.js 20
uses: actions/setup-node@v6
with:
@@ -186,6 +186,9 @@
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
+ # paths-filter uses git diff on push events; repository must be checked out first.
+ - uses: actions/checkout@v6
+
- name: Detect client-affecting changes
id: filter
uses: dorny/paths-filter@v3
@@ -198,9 +201,6 @@
- '.github/workflows/ci.yml'
- if: steps.filter.outputs.client == 'true' || github.event_name == 'push'
- uses: actions/checkout@v6
-
- - if: steps.filter.outputs.client == 'true' || github.event_name == 'push'
name: Use Node.js 20
uses: actions/setup-node@v6
with:You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit fd8b10b. Configure here.
| - '.github/workflows/ci.yml' | ||
|
|
||
| - if: steps.filter.outputs.server == 'true' || github.event_name == 'push' | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
Paths-filter before checkout breaks push-to-main CI
High Severity
dorny/paths-filter@v3 runs as the very first step in both server-quality and client-quality, before actions/checkout. For pull_request events this works (it uses the GitHub REST API), but for push events (triggered on every merge to main) the action needs a local git repo to run git diff — without checkout it will fail. Because the step lacks continue-on-error: true, the job fails, all subsequent steps are skipped, and the quality-gate aggregator reports failure. This effectively breaks CI on every push to main.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit fd8b10b. Configure here.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Adds dependabot auto-merge workflow, widens dependabot grouping, adds paths filters to CI to stop unrelated jobs blocking merges. See chat with Claude on 2026-05-11 for rationale.
Note: because the auto-merge workflow uses pull_request_target, GitHub will refuse to run it the very first time it is introduced via a dependabot PR — but it will run on all subsequent dependabot PRs once merged to the default branch. That is the desired behaviour.
Note
Medium Risk
Changes PR gating and introduces automated merging for dependency updates, which could let failures slip through if path filters or update-type detection are misconfigured. No application/runtime code changes, but CI/permissions behavior is affected.
Overview
Adds a new
dependabot-auto-mergeworkflow usingpull_request_targetthat auto-approves and enables squash auto-merge for Dependabot patch/minor PRs (and leaves a comment for majors).Updates Dependabot config to group npm updates by production vs development dependencies and to group GitHub Actions minor/patch updates, while continuing to ignore Prisma major bumps.
Slims CI friction by adding path-based triggers/filters so
server-qualityandclient-quality(and related artifact uploads) run only when relevant files change, reducing unrelated jobs blocking merges.Reviewed by Cursor Bugbot for commit fd8b10b. Configure here.