fix: improve reliability of dependency automation workflows

jenny-s51 · jenny-s51 · commit 719305c65463 · 2026-04-21T15:58:53.000-04:00
- Replace check_suite trigger with workflow_run for deterministic
  auto-merge firing after Dependency Validation completes
- Use combined status API to cover both GitHub Actions and Prow statuses
- Expand dependency summary to diff all changed lockfiles, not just root
- Discover all package.json files dynamically for override consistency
- Document upstream package exclusion and label coupling between configs

Made-with: Cursor
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -158,6 +158,7 @@ updates:
     open-pull-requests-limit: 5
     target-branch: "main"
     labels:
+      # Keep in sync with exempt-pr-labels in .github/workflows/stale.yml
       - "dependencies"
     ignore:
       - dependency-name: "*"
@@ -171,3 +172,8 @@ updates:
         dependency-type: development
       security-patches:
         applies-to: security-updates
+
+  # Upstream-synced packages (model-registry, notebooks) are intentionally
+  # excluded from Dependabot. Their deps are managed by their upstream repos
+  # and synced in via the upstream-sync workflow. The dependency-validation
+  # workflow still audits them when upstream syncs land.
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,27 +1,32 @@
 name: Dependabot Auto-merge
 
 on:
-  check_suite:
+  # Trigger after the Dependency Validation workflow completes on Dependabot PRs.
+  # Unlike check_suite (which fires per-app and can miss Prow statuses),
+  # workflow_run fires deterministically when the named workflow finishes.
+  workflow_run:
+    workflows: ["Dependency Validation"]
     types:
       - completed
 
 permissions:
   contents: read
   pull-requests: write
+  statuses: read
 
 jobs:
   auto-merge:
     runs-on: ubuntu-latest
     if: >
-      github.event.check_suite.conclusion == 'success' &&
-      github.event.check_suite.app.slug == 'github-actions'
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'pull_request'
     steps:
-      - name: Find Dependabot PR from check suite
+      - name: Find Dependabot PR from workflow run
         id: pr
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          HEAD_BRANCH="${{ github.event.check_suite.head_branch }}"
+          HEAD_BRANCH="${{ github.event.workflow_run.head_branch }}"
 
           if [[ ! "$HEAD_BRANCH" =~ ^dependabot/ ]]; then
             echo "Not a Dependabot branch, skipping"
@@ -39,41 +44,28 @@ jobs:
           fi
           echo "number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
 
-      - name: Verify all required checks passed
+      - name: Verify combined commit status
         id: checks
         if: steps.pr.outputs.number
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          HEAD_SHA="${{ github.event.check_suite.head_sha }}"
+          HEAD_SHA="${{ github.event.workflow_run.head_sha }}"
 
-          CHECKS=$(gh api \
-            "repos/${{ github.repository }}/commits/${HEAD_SHA}/check-runs" \
-            --paginate \
-            --jq '.check_runs[] | "\(.name)\t\(.conclusion // "pending")"')
+          # The combined status API merges both check runs (GitHub Actions)
+          # and commit statuses (Prow) into a single verdict.
+          COMBINED=$(gh api "repos/${{ github.repository }}/commits/${HEAD_SHA}/status" \
+            --jq '.state')
 
-          echo "All check runs:"
-          echo "$CHECKS"
+          echo "Combined commit status: $COMBINED"
 
-          READY=true
-
-          # Fail if any check run has explicitly failed or been cancelled
-          FAILED=$(echo "$CHECKS" | grep -E "	(failure|cancelled|timed_out|action_required)$" || true)
-          if [ -n "$FAILED" ]; then
-            echo "Failed checks found:"
-            echo "$FAILED"
-            READY=false
-          fi
-
-          # Fail if any check is still pending
-          PENDING=$(echo "$CHECKS" | grep -E "	(pending|queued|in_progress)$" || true)
-          if [ -n "$PENDING" ]; then
-            echo "Checks still pending:"
-            echo "$PENDING"
-            READY=false
+          if [ "$COMBINED" != "success" ]; then
+            echo "Not all checks/statuses have passed (state=$COMBINED), skipping"
+            echo "ready=false" >> "$GITHUB_OUTPUT"
+            exit 0
           fi
 
-          echo "ready=$READY" >> "$GITHUB_OUTPUT"
+          echo "ready=true" >> "$GITHUB_OUTPUT"
 
       - uses: actions/checkout@v4
         if: steps.checks.outputs.ready == 'true'
diff --git a/.github/workflows/dependency-validation.yml b/.github/workflows/dependency-validation.yml
@@ -133,12 +133,18 @@ jobs:
         run: |
           node -e "
           const fs = require('fs');
-          const paths = ['package.json', 'frontend/package.json', 'backend/package.json'];
+          const path = require('path');
+          const { execSync } = require('child_process');
+
+          const found = execSync(
+            'find . -name package.json -not -path \"*/node_modules/*\" -not -path \"*/base/*\"',
+            { encoding: 'utf8' }
+          ).trim().split('\n').filter(Boolean).map(p => p.replace(/^\.\//, ''));
+
           const overrides = {};
           let hasError = false;
 
-          for (const p of paths) {
-            if (!fs.existsSync(p)) continue;
+          for (const p of found) {
             const pkg = JSON.parse(fs.readFileSync(p, 'utf8'));
             if (!pkg.overrides) continue;
 
@@ -165,15 +171,18 @@ jobs:
             console.error('Override ranges diverge across package.json files.');
             process.exit(1);
           } else {
-            console.log('All shared overrides are consistent.');
+            console.log('All shared overrides are consistent (' + found.length + ' files checked).');
           }
           "
 
   dependency-summary:
+    needs: detect-dirs
     runs-on: ubuntu-latest
     steps:
       - name: Checkout PR head
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Checkout base
         uses: actions/checkout@v4
@@ -183,28 +192,46 @@ jobs:
 
       - name: Generate dependency diff summary
         id: diff
+        env:
+          CHANGED_DIRS: ${{ needs.detect-dirs.outputs.dirs }}
         run: |
           node -e "
           const fs = require('fs');
-          const baseLock = JSON.parse(fs.readFileSync('base/package-lock.json', 'utf8'));
-          const headLock = JSON.parse(fs.readFileSync('package-lock.json', 'utf8'));
+          const path = require('path');
+          const dirs = JSON.parse(process.env.CHANGED_DIRS || '[]');
 
-          const basePkgs = baseLock.packages || {};
-          const headPkgs = headLock.packages || {};
+          const lockfiles = dirs
+            .map(d => d === '.' ? 'package-lock.json' : path.join(d, 'package-lock.json'))
+            .filter(f => fs.existsSync(f) && fs.existsSync(path.join('base', f)));
+
+          if (lockfiles.length === 0) {
+            fs.writeFileSync('dep-summary.md', 'No dependency version changes detected.\n');
+            process.exit(0);
+          }
 
           const changes = [];
-          for (const [name, info] of Object.entries(headPkgs)) {
-            const basePkg = basePkgs[name];
-            if (!basePkg) {
-              changes.push('| \`' + name.replace('node_modules/', '') + '\` | — | ' + info.version + ' | Added |');
-            } else if (basePkg.version !== info.version) {
-              changes.push('| \`' + name.replace('node_modules/', '') + '\` | ' + basePkg.version + ' | ' + info.version + ' | Updated |');
+          for (const lockfile of lockfiles) {
+            const baseLock = JSON.parse(fs.readFileSync(path.join('base', lockfile), 'utf8'));
+            const headLock = JSON.parse(fs.readFileSync(lockfile, 'utf8'));
+            const basePkgs = baseLock.packages || {};
+            const headPkgs = headLock.packages || {};
+            const dir = path.dirname(lockfile);
+            const prefix = dir === '.' ? '' : dir + ': ';
+
+            for (const [name, info] of Object.entries(headPkgs)) {
+              const basePkg = basePkgs[name];
+              const short = prefix + name.replace('node_modules/', '');
+              if (!basePkg) {
+                changes.push('| \`' + short + '\` | — | ' + info.version + ' | Added |');
+              } else if (basePkg.version !== info.version) {
+                changes.push('| \`' + short + '\` | ' + basePkg.version + ' | ' + info.version + ' | Updated |');
+              }
             }
-          }
-          for (const name of Object.keys(basePkgs)) {
-            if (!headPkgs[name]) {
-              const shortName = name.replace('node_modules/', '');
-              changes.push('| \`' + shortName + '\` | ' + basePkgs[name].version + ' | — | Removed |');
+            for (const name of Object.keys(basePkgs)) {
+              if (!headPkgs[name]) {
+                const short = prefix + name.replace('node_modules/', '');
+                changes.push('| \`' + short + '\` | ' + basePkgs[name].version + ' | — | Removed |');
+              }
             }
           }
 
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -28,4 +28,5 @@ jobs:
           stale-pr-message: 'This PR is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 7 days.'
           close-pr-message: 'This PR was closed because it has been stale for 21+7 days with no activity.'
           stale-pr-label: 'Stale'
+          # Must match the label Dependabot applies in .github/dependabot.yml
           exempt-pr-labels: 'dependencies'
