Skip to content

chore: fix Dependabot config — target dev branch and auto-regenerate pnpm lockfile #436

Open
Open
chore: fix Dependabot config — target dev branch and auto-regenerate pnpm lockfile#436
Assignees
Ryan-Millard
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Jun 15, 2026

Tip

This issue hasn't been claimed yet. Comment /take if you'd like to work on it!

Overview

Two related Dependabot/CI issues were identified in PR #435 and the discussion in this comment:

Problem 1 — Dependabot targets main instead of dev

The project uses dev as an integration buffer before merging into main, but Dependabot is currently configured to open PRs directly against main. This bypasses the normal review/integration flow.

Fix: Update .github/dependabot.yml to set target-branch: dev for all ecosystems.

Problem 2 — Dependabot does not regenerate pnpm-lock.yaml

Dependabot has limited native pnpm lockfile support and only updates package.json, leaving pnpm-lock.yaml out of sync. This causes CI workflows to fail on Dependabot PRs.

Fix options (pick one or combine):

  1. Add a GitHub Actions workflow that triggers on Dependabot PRs, runs pnpm install in the relevant workspace directory, and commits the updated lockfile back to the branch.
  2. Alternatively, use --no-frozen-lockfile in CI only for Dependabot branches, then commit the result.

A minimal workflow example:

name: Fix pnpm lockfile on Dependabot PRs
on:
  pull_request:
    branches: [dev]

jobs:
  update-lockfile:
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.GITHUB_TOKEN }}
      - uses: pnpm/action-setup@v4
      - uses: actions/setup-node@v4
        with:
          node-version: lts/*
          cache: pnpm
      - name: Regenerate lockfile
        run: pnpm install --no-frozen-lockfile
        working-directory: example-apps/react-js
      - name: Commit updated lockfile
        run: |
          git config user.name 'github-actions[bot]'
          git config user.email 'github-actions[bot]@users.noreply.github.com'
          git add example-apps/react-js/pnpm-lock.yaml
          git diff --cached --quiet || git commit -m 'chore: regenerate pnpm lockfile'
          git push

Acceptance Criteria

  • .github/dependabot.yml updated so all Dependabot PRs target dev
  • CI workflow (or equivalent) ensures pnpm-lock.yaml is always in sync on Dependabot PRs
  • Existing Dependabot PRs against main are closed/redirected after config change

Requested by @Ryan-Millard via PR #435.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions