eventjet · MidnightDesign · Apr 9, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/.github/workflows/check-dependabot-fix.yml b/.github/workflows/check-dependabot-fix.yml
@@ -0,0 +1,56 @@
+# Checks weekly whether the upstream Dependabot issue for pnpm lockfileVersion
+# 9.0 support has been resolved. Creates a repo issue (assigned to @MidnightDesign)
+# when it detects the fix, so we remember to remove the workaround.
+#
+# Related: https://github.com/dependabot/dependabot-core/issues/13920
+# Remove this workflow together with dependabot-lockfile.yml once the issue is resolved.
+
+name: Check Dependabot pnpm Fix
+
+on:
+  schedule:
+    - cron: "0 9 * * 1" # Every Monday at 9:00 UTC
+
+permissions:
+  issues: write
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if upstream issue is resolved
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          state=$(GH_TOKEN= gh issue view 13920 --repo dependabot/dependabot-core --json state --jq '.state')
+          if [ "$state" = "OPEN" ]; then
+            echo "Upstream issue is still open, nothing to do."
+            exit 0
+          fi
+
+          echo "Upstream issue is no longer open (state: $state)."
+
+          existing=$(gh issue list --repo "${{ github.repository }}" --state open --search "Remove Dependabot lockfile workaround" --json number --jq 'length')
+          if [ "$existing" != "0" ]; then
+            echo "Reminder issue already exists, skipping."
+            exit 0
+          fi
+
+          body_file=$(mktemp)
+          printf '%s\n' \
+            'dependabot/dependabot-core#13920 has been resolved.' \
+            '' \
+            'The lockfile regeneration workaround is no longer needed. Remove:' \
+            '- `.github/workflows/dependabot-lockfile.yml`' \
+            '- `.github/workflows/check-dependabot-fix.yml`' \
+            '' \
+            'Then verify that Dependabot PRs correctly update `pnpm-lock.yaml` on their own.' \
+            > "$body_file"
+
+          gh issue create --repo "${{ github.repository }}" \
+            --assignee MidnightDesign \
+            --title "Remove Dependabot lockfile workaround" \
+            --body-file "$body_file"
+
+          echo "Created reminder issue."
diff --git a/.github/workflows/dependabot-lockfile.yml b/.github/workflows/dependabot-lockfile.yml
@@ -0,0 +1,45 @@
+# Workaround for https://github.com/dependabot/dependabot-core/issues/13920
+# Dependabot can't parse pnpm lockfileVersion 9.0, so it updates package.json
+# but not pnpm-lock.yaml. This workflow regenerates the lockfile and commits it.
+#
+# Remove this workflow once the upstream issue is resolved.
+
+name: Fix Dependabot Lockfile
+
+on:
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: write
+
+jobs:
+  fix-lockfile:
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: pnpm/action-setup@v5
+        with:
+          version: 9
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: "20"
+          cache: pnpm
+
+      - run: pnpm install --lockfile-only --no-frozen-lockfile
+
+      - name: Commit updated lockfile
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add pnpm-lock.yaml
+          if ! git diff --cached --quiet; then
+            git commit -m "chore: update pnpm-lock.yaml"
+            git push origin HEAD:${{ github.head_ref }}
+          fi