Skip to content
Dependabot Automation

chore(deps): update jsdom to v28 - autoclosed #1506

Sign in to view logs

chore(deps): update jsdom to v28 - autoclosed

chore(deps): update jsdom to v28 - autoclosed #1506

Workflow file for this run

.github/workflows/on-pr-main-dependabot.yml at 8babaaa
name: Dependabot Automation
on:
pull_request:
branches: [main]
# Only one dependabot run per PR at a time
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
cancel-in-progress: true
permissions:
contents: write # Required for auto-merge functionality
pull-requests: write # Required for approving and merging PRs
jobs:
# Run test suite first to validate dependency changes
test:
name: Validate Dependency Updates
uses: ./.github/workflows/test-suite.yml
if: ${{ github.actor == 'dependabot[bot]' }}
with:
runner: 'arc-happyvertical'
node-version: '24'
# Handle dependabot-specific automation after tests pass
dependabot:
runs-on: arc-happyvertical
needs: [test]
if: |
github.actor == 'dependabot[bot]' &&
needs.test.outputs.success == 'true'
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Validate security requirements
run: |
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
echo "::error::GITHUB_TOKEN is not available"
exit 1
fi
echo "✅ Security requirements validated"
echo "::notice::Processing dependabot PR with enhanced security checks"
- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4
with:
run_install: false
- name: Configure pnpm store directory
shell: bash
run: |
store_root="${PNPM_STORE_DIR:-$HOME/.local/share/pnpm/store}"
mkdir -p "$store_root"
pnpm config set store-dir "$store_root" --location=global
- name: Install dependencies for security audit
run: pnpm install --frozen-lockfile
- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 # Pinned to specific version
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Security scan for dependency changes
run: |
echo "::notice::Checking for security vulnerabilities in dependencies"
echo "Dependency update type: ${{ steps.metadata.outputs.update-type }}"
echo "Package ecosystem: ${{ steps.metadata.outputs.package-ecosystem }}"
echo "Package name: ${{ steps.metadata.outputs.dependency-names }}"
pnpm audit || {
echo "::error::Security vulnerabilities found in dependencies"
exit 1
}
echo "✅ No security vulnerabilities detected"
- name: Approve PR with security validation
if: ${{ steps.metadata.outputs.update-type != 'version-update:semver-major' }}
run: |
echo "::notice::Approving dependabot PR after security validation"
gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge for minor and patch updates
if: |
steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: |
echo "::notice::Enabling auto-merge for ${{ steps.metadata.outputs.update-type }} update"
gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Require manual review for major updates
if: steps.metadata.outputs.update-type == 'version-update:semver-major'
run: |
echo "Major version update detected. Manual review required."
echo "This PR will not be automatically approved or merged."
gh pr comment "$PR_URL" \
--body "Major version update detected. Manual review required."
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}