Daily Autohealing Report — 2026-05-31 (UTC)

[fro-bot]

Daily Autohealing Report — 2026-05-31 (UTC)

Errored PRs

None. Both open PRs are fully green:

• chore(deps): update fro-bot/agent to v0.48.1 #3389 — chore(deps): update fro-bot/agent to v0.47.0 (all checks passing, ready to merge)
• chore(deps): update pnpm to v11.4.0 #3390 — chore(deps): update pnpm to v11.4.0 (all checks passing, awaiting stability-days)

Security

None requiring action. 0 open Dependabot alerts. Three OpenSSF Scorecard meta-findings still open and unchanged across cycles (Fuzzing #7, CII-Best-Practices #5, Branch-Protection #1).

Health & Maintenance

• chore(deps): update fro-bot/agent to v0.48.1 #3389 supersedes yesterday's chore(deps): update fro-bot/agent to v0.46.1 #3385 (merged). Bumps the persona action that runs this very job — same review-gate pattern.
• chore(deps): update pnpm to v11.4.0 #3390 is the Renovate-managed pnpm minor bump. No conflicts with the packageManager pin in package.json.
• Carry-over from Daily Autohealing Report — 2026-05-25 (UTC) #3375 — orphan private wiki entries R_kgDOSVJgdw and R_kgDOSZ9x-w still in metadata/repos.yaml. The Merge Data Branch weekly cron fires tonight (~22:54 UTC, Sunday) — it will fail again with the same [subprocess-threw] diagnosis. Confirmed today by reading the last failure log (run 26390324135): gh api graphql cannot resolve those node IDs because the App lacks access to those private repos. No autoheal possible without re-onboarding or removal.

Developer Experience

None. Local validation green against main:

• pnpm run lint — clean
• pnpm run check-types — clean
• pnpm test — 22 files / 644 passed + 3 todo in ~3.2s

Needs Human Attention

• chore(deps): update fro-bot/agent to v0.48.1 #3389 — fro-bot/agent@v0.47.0 (persona action driving this run); all checks green, ready to merge.
• chore(deps): update pnpm to v11.4.0 #3390 — pnpm@v11.4.0 minor bump; green pending stability-days window.
• Carry-overs from Daily Autohealing Report — 2026-05-25 (UTC) #3375, now 144 hours / 6 days old. Tonight's Sunday Merge Data Branch is the next failure window:
  • Re-onboard or remove R_kgDOSVJgdw and R_kgDOSZ9x-w from metadata/repos.yaml before ~22:54 UTC, or the cron fails for a third weekend in a row.
  • Optional: tighten scripts/check-wiki-private-presence.ts failure messaging — [subprocess-threw] here is technically correct (subprocess threw on access-denied), but gh api exit-code triage would let operators distinguish access-revoked from rate-limit/network.
• OpenSSF Scorecard alerts (Fuzzing Update peter-murray/workflow-application-token-action to v2 #7, CII-Best-Practices feat: add Renovate workflow for dependency auto-updates #5, Branch-Protection feat: set default settings #1) — unchanged across many cycles. Implement or dismiss.