ci: add Dependabot and automated dependency updates [ENG-11704]

[ryoppippi]

Summary

• Add Dependabot config for npm and GitHub Actions (weekly, minor/patch grouped)
• Add auto-merge workflow for Dependabot PRs (minor/patch only)
• Add scheduled Nix flake update workflow with auto-merge

Test plan

• Verify Dependabot picks up the config
• Test auto-merge workflow triggers on Dependabot PR
• Manually trigger Nix flake update workflow

---

Summary by cubic

Automates dependency updates for npm, GitHub Actions, and Nix flake inputs, with safe auto-merge for minor/patch changes. This keeps dependencies current and reduces manual work.

• Dependencies
  • Dependabot: weekly npm and Actions updates; npm groups minor/patch and ignores majors; Actions updates are grouped.
  • Auto-merge: enables on Dependabot PRs after CI passes; minor/patch only and respects branch protection wait.
  • Nix flake: weekly flake.lock update, opens a PR, and auto-merges when checks pass.

^{Written for commit a58e5bb. Summary will update automatically on new commits.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/StackOneHQ/stackone-ai-node/@stackone/ai@262

commit: a58e5bb

[Copilot]

Pull request overview

This PR adds automated dependency management through Dependabot configuration and two auto-merge workflows for handling npm/GitHub Actions updates and Nix flake updates.

• Configures Dependabot for weekly npm and GitHub Actions updates with grouping of minor/patch versions
• Adds auto-merge workflow for Dependabot PRs (minor/patch only) that waits for CI
• Adds scheduled workflow to update Nix flake inputs weekly with auto-merge enabled

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
.github/dependabot.yaml	Configures Dependabot for npm and GitHub Actions with weekly schedules, grouping strategies, and major version ignoring
.github/workflows/dependabot-auto-merge.yaml	Workflow to automatically merge Dependabot PRs for minor/patch updates after CI passes
.github/workflows/nix-flake-update.yaml	Scheduled workflow to update Nix flake inputs weekly and create auto-merge PRs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Using @main as the version reference is not recommended for GitHub Actions. This can lead to unexpected breaking changes when the action is updated. Consider pinning to a specific version tag or commit SHA for better stability and reproducibility.

Suggested change

	uses: ./.github/actions/setup-nix
	uses: DeterminateSystems/nix-installer-action@v12

[Copilot]

The auto-merge will execute immediately if a PR is created, but the comment on line 45 states there's a "3-day waiting period (configured in branch protection rules)". However, the workflow doesn't enforce this delay - it just enables auto-merge which will merge as soon as CI passes. If a 3-day delay is required, it should be implemented in the workflow itself (e.g., checking the PR age before enabling auto-merge), or the comment should be updated to reflect the actual behavior that depends entirely on branch protection configuration.

[Copilot]

The workflow enables auto-merge for the Nix flake update PR without any checks or conditions. Unlike the Dependabot auto-merge workflow which waits for CI to pass, this workflow immediately enables auto-merge right after creating the PR. Consider adding a wait-on-check step similar to the Dependabot workflow to ensure CI passes before enabling auto-merge.

Suggested change

	- name: Wait for CI checks to pass
	if: steps.create-pr.outputs.pull-request-number
	uses: actions/github-script@v7
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: |
	const prNumber = parseInt('${{ steps.create-pr.outputs.pull-request-number }}', 10);
	// Get the PR to find the head SHA to check statuses on
	const { data: pr } = await github.rest.pulls.get({
	owner: context.repo.owner,
	repo: context.repo.repo,
	pull_number: prNumber,
	});
	const ref = pr.head.sha;
	const timeoutMinutes = 60;
	const intervalSeconds = 30;
	const timeoutAt = Date.now() + timeoutMinutes * 60 * 1000;
	async function getCombinedStatus() {
	const { data } = await github.rest.repos.getCombinedStatusForRef({
	owner: context.repo.owner,
	repo: context.repo.repo,
	ref,
	});
	core.info(`Current combined status for ${ref}: ${data.state}`);
	return data.state;
	}
	let state = await getCombinedStatus();
	while (state === 'pending') {
	if (Date.now() > timeoutAt) {
	core.setFailed(
	`CI checks did not complete within ${timeoutMinutes} minutes (last combined status: ${state})`,
	);
	return;
	}
	await new Promise((resolve) => setTimeout(resolve, intervalSeconds * 1000));
	state = await getCombinedStatus();
	}
	if (state !== 'success') {
	core.setFailed(`CI checks did not pass. Final combined status: ${state}`);
	}

[Copilot]

The update-types ignore pattern uses 'version-update:semver-major' format, but this doesn't match the format that Dependabot expects in the ignore section. According to Dependabot documentation, the ignore section should use 'major' instead of 'version-update:semver-major'. The correct format should be just 'major' in the update-types list under ignore.

Suggested change

	- version-update:semver-major
	- major

[cubic-dev-ai]

3 issues found across 3 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/workflows/nix-flake-update.yaml">

<violation number="1" location=".github/workflows/nix-flake-update.yaml:20">
P1: Rule violated: **Flag Security Vulnerabilities**

Using `@main` for GitHub Actions is a supply chain security risk. The `main` branch is mutable and could be modified by the upstream repository owner or an attacker who compromises the repository. Pin this action to a specific commit SHA or at minimum a version tag (e.g., `@v1`) to prevent potential supply chain attacks.</violation>
</file>

<file name=".github/workflows/dependabot-auto-merge.yaml">

<violation number="1" location=".github/workflows/dependabot-auto-merge.yaml:26">
P2: Pin third-party action to commit SHA instead of version tag. This workflow has write permissions and auto-merges PRs, making it a supply chain attack target. Consider using the full commit SHA (e.g., `lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5f8571c93`) to prevent tag-based attacks.</violation>
</file>

<file name=".github/dependabot.yaml">

<violation number="1" location=".github/dependabot.yaml:45">
P2: GitHub Actions groups configuration is missing `update-types` filter and `ignore` block for major versions. Unlike the npm config which limits to minor/patch updates, this will group ALL update types including major versions together, potentially causing breaking changes to be auto-merged.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P1: Rule violated: Flag Security Vulnerabilities

Using @main for GitHub Actions is a supply chain security risk. The main branch is mutable and could be modified by the upstream repository owner or an attacker who compromises the repository. Pin this action to a specific commit SHA or at minimum a version tag (e.g., @v1) to prevent potential supply chain attacks.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/nix-flake-update.yaml, line 20:

<comment>Using `@main` for GitHub Actions is a supply chain security risk. The `main` branch is mutable and could be modified by the upstream repository owner or an attacker who compromises the repository. Pin this action to a specific commit SHA or at minimum a version tag (e.g., `@v1`) to prevent potential supply chain attacks.</comment>

<file context>
@@ -0,0 +1,63 @@
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+
</file context>

[cubic-dev-ai]

P2: Pin third-party action to commit SHA instead of version tag. This workflow has write permissions and auto-merges PRs, making it a supply chain attack target. Consider using the full commit SHA (e.g., lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5f8571c93) to prevent tag-based attacks.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/dependabot-auto-merge.yaml, line 26:

<comment>Pin third-party action to commit SHA instead of version tag. This workflow has write permissions and auto-merges PRs, making it a supply chain attack target. Consider using the full commit SHA (e.g., `lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5f8571c93`) to prevent tag-based attacks.</comment>

<file context>
@@ -0,0 +1,48 @@
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Wait for CI to pass
+        uses: lewagon/wait-on-check-action@v1.3.4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
</file context>

[cubic-dev-ai]

P2: GitHub Actions groups configuration is missing update-types filter and ignore block for major versions. Unlike the npm config which limits to minor/patch updates, this will group ALL update types including major versions together, potentially causing breaking changes to be auto-merged.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/dependabot.yaml, line 45:

<comment>GitHub Actions groups configuration is missing `update-types` filter and `ignore` block for major versions. Unlike the npm config which limits to minor/patch updates, this will group ALL update types including major versions together, potentially causing breaking changes to be auto-merged.</comment>

<file context>
@@ -0,0 +1,47 @@
+      - dependencies
+      - ci
+    groups:
+      actions:
+        patterns:
+          - &#39;*&#39;
</file context>