From 47bf1316b5283109846ffa768293b4ac3eb36ef4 Mon Sep 17 00:00:00 2001 From: Rudolph Gottesheim Date: Tue, 7 Apr 2026 09:13:01 +0200 Subject: [PATCH 1/6] fix: work around Dependabot not supporting pnpm lockfileVersion 9.0 Dependabot can't parse pnpm-lock.yaml with lockfileVersion 9.0 (dependabot/dependabot-core#13920), so it updates package.json but not the lockfile, causing CI to fail on --frozen-lockfile. Add a workflow that regenerates pnpm-lock.yaml on Dependabot PRs, and a weekly check that creates a reminder issue once the upstream bug is resolved. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/check-dependabot-fix.yml | 50 ++++++++++++++++++++++ .github/workflows/dependabot-lockfile.yml | 43 +++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 .github/workflows/check-dependabot-fix.yml create mode 100644 .github/workflows/dependabot-lockfile.yml diff --git a/.github/workflows/check-dependabot-fix.yml b/.github/workflows/check-dependabot-fix.yml new file mode 100644 index 0000000..ef7a167 --- /dev/null +++ b/.github/workflows/check-dependabot-fix.yml @@ -0,0 +1,50 @@ +# Checks weekly whether the upstream Dependabot issue for pnpm lockfileVersion +# 9.0 support has been resolved. Creates a repo issue (assigned to @MidnightDesign) +# when it detects the fix, so we remember to remove the workaround. +# +# Related: https://github.com/dependabot/dependabot-core/issues/13920 +# Remove this workflow together with dependabot-lockfile.yml once the issue is resolved. + +name: Check Dependabot pnpm Fix + +on: + schedule: + - cron: "0 9 * * 1" # Every Monday at 9:00 UTC + +jobs: + check: + runs-on: ubuntu-latest + steps: + - name: Check if upstream issue is resolved + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + state=$(gh issue view 13920 --repo dependabot/dependabot-core --json state --jq '.state') + if [ "$state" = "OPEN" ]; then + echo "Upstream issue is still open, nothing to do." + exit 0 + fi + + echo "Upstream issue is no longer open (state: $state)." + + existing=$(gh issue list --repo "${{ github.repository }}" --search "Remove Dependabot lockfile workaround" --json number --jq 'length') + if [ "$existing" != "0" ]; then + echo "Reminder issue already exists, skipping." + exit 0 + fi + + gh issue create --repo "${{ github.repository }}" \ + --assignee MidnightDesign \ + --title "Remove Dependabot lockfile workaround" \ + --body "$(cat <<'EOF' + dependabot/dependabot-core#13920 has been resolved. + + The lockfile regeneration workaround is no longer needed. Remove: + - `.github/workflows/dependabot-lockfile.yml` + - `.github/workflows/check-dependabot-fix.yml` + + Then verify that Dependabot PRs correctly update `pnpm-lock.yaml` on their own. + EOF + )" + + echo "Created reminder issue." diff --git a/.github/workflows/dependabot-lockfile.yml b/.github/workflows/dependabot-lockfile.yml new file mode 100644 index 0000000..cd4d1be --- /dev/null +++ b/.github/workflows/dependabot-lockfile.yml @@ -0,0 +1,43 @@ +# Workaround for https://github.com/dependabot/dependabot-core/issues/13920 +# Dependabot can't parse pnpm lockfileVersion 9.0, so it updates package.json +# but not pnpm-lock.yaml. This workflow regenerates the lockfile and commits it. +# +# Remove this workflow once the upstream issue is resolved. + +name: Fix Dependabot Lockfile + +on: + pull_request: + branches: [master] + +permissions: + contents: write + +jobs: + fix-lockfile: + if: github.actor == 'dependabot[bot]' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ github.head_ref }} + token: ${{ secrets.GITHUB_TOKEN }} + + - uses: pnpm/action-setup@v5 + with: + version: 9 + + - uses: actions/setup-node@v6 + with: + node-version: "20" + cache: pnpm + + - run: pnpm install --no-frozen-lockfile + + - name: Commit updated lockfile + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git add pnpm-lock.yaml + git diff --cached --quiet || git commit -m "chore: update pnpm-lock.yaml" + git push From 668368830d203d421d839a5457bedb31e9d4e272 Mon Sep 17 00:00:00 2001 From: Rudolph Gottesheim Date: Tue, 7 Apr 2026 09:21:37 +0200 Subject: [PATCH 2/6] fix: address review feedback on Dependabot workaround workflows - Add `issues: write` permission to the check workflow so `gh issue create` works on scheduled runs - Filter duplicate check to open issues only (`--state open`) - Use `pnpm install --lockfile-only` to avoid executing dependency lifecycle scripts Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/check-dependabot-fix.yml | 5 ++++- .github/workflows/dependabot-lockfile.yml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check-dependabot-fix.yml b/.github/workflows/check-dependabot-fix.yml index ef7a167..026b700 100644 --- a/.github/workflows/check-dependabot-fix.yml +++ b/.github/workflows/check-dependabot-fix.yml @@ -11,6 +11,9 @@ on: schedule: - cron: "0 9 * * 1" # Every Monday at 9:00 UTC +permissions: + issues: write + jobs: check: runs-on: ubuntu-latest @@ -27,7 +30,7 @@ jobs: echo "Upstream issue is no longer open (state: $state)." - existing=$(gh issue list --repo "${{ github.repository }}" --search "Remove Dependabot lockfile workaround" --json number --jq 'length') + existing=$(gh issue list --repo "${{ github.repository }}" --state open --search "Remove Dependabot lockfile workaround" --json number --jq 'length') if [ "$existing" != "0" ]; then echo "Reminder issue already exists, skipping." exit 0 diff --git a/.github/workflows/dependabot-lockfile.yml b/.github/workflows/dependabot-lockfile.yml index cd4d1be..7ff5dea 100644 --- a/.github/workflows/dependabot-lockfile.yml +++ b/.github/workflows/dependabot-lockfile.yml @@ -32,7 +32,7 @@ jobs: node-version: "20" cache: pnpm - - run: pnpm install --no-frozen-lockfile + - run: pnpm install --lockfile-only --no-frozen-lockfile - name: Commit updated lockfile run: | From c4aebac18df5fa9a88bc5d5d9942ff551d6ec4ee Mon Sep 17 00:00:00 2001 From: Rudolph Gottesheim Date: Tue, 7 Apr 2026 09:29:16 +0200 Subject: [PATCH 3/6] fix: use PR author check and fix issue body indentation - Check `github.event.pull_request.user.login` instead of `github.actor` so the workflow runs reliably even if a maintainer pushes to the branch - Use printf to build the issue body without leading whitespace Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/check-dependabot-fix.yml | 22 ++++++++++++---------- .github/workflows/dependabot-lockfile.yml | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/.github/workflows/check-dependabot-fix.yml b/.github/workflows/check-dependabot-fix.yml index 026b700..810e9d9 100644 --- a/.github/workflows/check-dependabot-fix.yml +++ b/.github/workflows/check-dependabot-fix.yml @@ -36,18 +36,20 @@ jobs: exit 0 fi + body_file=$(mktemp) + printf '%s\n' \ + 'dependabot/dependabot-core#13920 has been resolved.' \ + '' \ + 'The lockfile regeneration workaround is no longer needed. Remove:' \ + '- `.github/workflows/dependabot-lockfile.yml`' \ + '- `.github/workflows/check-dependabot-fix.yml`' \ + '' \ + 'Then verify that Dependabot PRs correctly update `pnpm-lock.yaml` on their own.' \ + > "$body_file" + gh issue create --repo "${{ github.repository }}" \ --assignee MidnightDesign \ --title "Remove Dependabot lockfile workaround" \ - --body "$(cat <<'EOF' - dependabot/dependabot-core#13920 has been resolved. - - The lockfile regeneration workaround is no longer needed. Remove: - - `.github/workflows/dependabot-lockfile.yml` - - `.github/workflows/check-dependabot-fix.yml` - - Then verify that Dependabot PRs correctly update `pnpm-lock.yaml` on their own. - EOF - )" + --body-file "$body_file" echo "Created reminder issue." diff --git a/.github/workflows/dependabot-lockfile.yml b/.github/workflows/dependabot-lockfile.yml index 7ff5dea..e482c72 100644 --- a/.github/workflows/dependabot-lockfile.yml +++ b/.github/workflows/dependabot-lockfile.yml @@ -15,7 +15,7 @@ permissions: jobs: fix-lockfile: - if: github.actor == 'dependabot[bot]' + if: github.event.pull_request.user.login == 'dependabot[bot]' runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 From 57034db0fddd258bafaeb62c540b796e600fa954 Mon Sep 17 00:00:00 2001 From: Rudolph Gottesheim Date: Tue, 7 Apr 2026 09:37:38 +0200 Subject: [PATCH 4/6] fix: use unauthenticated request for cross-repo issue check Unset GH_TOKEN when querying the upstream dependabot-core issue so it uses an unauthenticated public API request instead of the repo-scoped GITHUB_TOKEN. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/check-dependabot-fix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-dependabot-fix.yml b/.github/workflows/check-dependabot-fix.yml index 810e9d9..916a988 100644 --- a/.github/workflows/check-dependabot-fix.yml +++ b/.github/workflows/check-dependabot-fix.yml @@ -22,7 +22,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - state=$(gh issue view 13920 --repo dependabot/dependabot-core --json state --jq '.state') + state=$(GH_TOKEN= gh issue view 13920 --repo dependabot/dependabot-core --json state --jq '.state') if [ "$state" = "OPEN" ]; then echo "Upstream issue is still open, nothing to do." exit 0 From 229b77ede53e2ec4898ae5eccecbf70ea4f689bc Mon Sep 17 00:00:00 2001 From: Rudolph Gottesheim Date: Tue, 7 Apr 2026 09:45:09 +0200 Subject: [PATCH 5/6] fix: use explicit push target and skip push when no changes Push to `origin HEAD:` explicitly instead of relying on upstream tracking, and only push when a commit was actually created. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/dependabot-lockfile.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-lockfile.yml b/.github/workflows/dependabot-lockfile.yml index e482c72..1fdca7f 100644 --- a/.github/workflows/dependabot-lockfile.yml +++ b/.github/workflows/dependabot-lockfile.yml @@ -39,5 +39,7 @@ jobs: git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git add pnpm-lock.yaml - git diff --cached --quiet || git commit -m "chore: update pnpm-lock.yaml" - git push + if ! git diff --cached --quiet; then + git commit -m "chore: update pnpm-lock.yaml" + git push origin HEAD:${{ github.head_ref }} + fi From 169cf945a426234192a3b1b96d7a5e0cc8f443b8 Mon Sep 17 00:00:00 2001 From: Rudolph Gottesheim Date: Tue, 7 Apr 2026 10:10:33 +0200 Subject: [PATCH 6/6] fix: add strict mode to upstream issue check script Prevent false reminder issues when the upstream API call fails by adding `set -euo pipefail`. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/check-dependabot-fix.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/check-dependabot-fix.yml b/.github/workflows/check-dependabot-fix.yml index 916a988..99d2876 100644 --- a/.github/workflows/check-dependabot-fix.yml +++ b/.github/workflows/check-dependabot-fix.yml @@ -22,6 +22,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | + set -euo pipefail state=$(GH_TOKEN= gh issue view 13920 --repo dependabot/dependabot-core --json state --jq '.state') if [ "$state" = "OPEN" ]; then echo "Upstream issue is still open, nothing to do."