Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,29 @@
version: 2
updates:
# GitHub Actions — low risk; bundle all bumps into one PR.
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
groups:
actions:
patterns: ["*"]

# Server npm deps. Group safe minor+patch bumps into a single PR (auto-merged
# once CI is green); majors come as individual PRs for manual review.
- package-ecosystem: npm
directory: /server
schedule:
interval: weekly
groups:
server-minor-patch:
update-types: ["minor", "patch"]

# Client npm deps — same grouping strategy.
- package-ecosystem: npm
directory: /client
schedule:
interval: weekly
groups:
client-minor-patch:
update-types: ["minor", "patch"]
4 changes: 4 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,10 @@ name: CI
on:
push:
branches: [main]
# Validate PRs (incl. Dependabot) before merge — but NOT arbitrary branch
# pushes, so only main and PRs targeting it run CI.
pull_request:
branches: [main]

jobs:
server:
Expand Down
31 changes: 31 additions & 0 deletions .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: Dependabot auto-merge

# Automatically enable auto-merge for Dependabot patch/minor updates so they
# land without manual clicks once CI is green. Major bumps are left for manual
# review. Requires the repo setting "Allow auto-merge" to be enabled, and a
# branch-protection rule on main that requires the CI checks (so auto-merge
# actually waits for them).

on: pull_request_target

permissions:
contents: write
pull-requests: write

jobs:
auto-merge:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- name: Fetch Dependabot metadata
id: meta
uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Enable auto-merge for patch/minor updates
if: steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor'
run: gh pr merge --auto --squash "$PR_URL" || echo "Auto-merge not enabled — turn on 'Allow auto-merge' in repo settings."
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
# arm64 binaries crashed with "uncaught target signal 4 (Illegal
# instruction)", which core-dumped and left the build hung. A current
# QEMU emulates the new userspace correctly.
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-qemu-action@v4
with:
image: tonistiigi/binfmt:qemu-v10.2.3
- uses: docker/setup-buildx-action@v4
Expand Down
5 changes: 5 additions & 0 deletions client/.npmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# @vitejs/plugin-react 6 pulls a Babel/rolldown chain with conflicting transitive
# peer ranges (@babel/core 7 vs 8). It's harmless at build time, but npm's strict
# peer resolver errors on it. Relax it here so `npm ci` (local + CI) installs the
# locked tree cleanly.
legacy-peer-deps=true
Loading