CI: resolve latest haybarn at runtime; add Dependabot + auto-merge

- Drop the hardcoded HAYBARN_RELEASE pin; a resolve-haybarn job queries the
  latest haybarn release and feeds it to the whole matrix.
- Commit uv.lock and install via 'uv sync --frozen' / 'uv run --frozen' so CI
  exercises locked versions and Dependabot's uv ecosystem has a bump target.
- Add .github/dependabot.yml: github-actions weekly, Python deps (vgi-python /
  vgi-rpc via uv.lock) daily.
- Add dependabot-auto-merge.yml: squash-merge green Dependabot PRs after CI
  passes (workflow_run-triggered, so no branch protection needed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: rustyconover

.github/dependabot.yml

@@ -0,0 +1,25 @@
+# Copyright 2026 Query Farm LLC - https://query.farm
+#
+# Automated dependency updates. github-actions keeps the workflow actions
+# current; uv bumps the Python dependencies recorded in uv.lock (driven by the
+# constraints in pyproject.toml). Updates are grouped to minimise PR noise and
+# auto-merged once CI is green (see .github/workflows/dependabot-auto-merge.yml).
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns: ["*"]
+
+  # The Python deps are the point of this repo's freshness (vgi-python /
+  # vgi-rpc), so check daily — the most frequent interval Dependabot supports.
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      python:
+        patterns: ["*"]

.github/workflows/ci.yml

@@ -21,12 +21,23 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
-env:
-  # Haybarn release providing the prebuilt haybarn-unittest binary. Must be
-  # ABI-compatible with the community-published vgi extension. See ci/README.md.
-  HAYBARN_RELEASE: haybarn-v1.5.3-rc10
-
 jobs:
+  # Resolve the latest published haybarn release once, so the whole matrix tests
+  # the same version (and we never hardcode/pin it). haybarn is public, so the
+  # default token can read it — including on Dependabot PRs.
+  resolve-haybarn:
+    runs-on: ubuntu-latest
+    outputs:
+      release: ${{ steps.r.outputs.release }}
+    steps:
+      - id: r
+        run: |
+          REL=$(gh release view --repo Query-farm-haybarn/haybarn --json tagName --jq .tagName)
+          echo "release=$REL" >> "$GITHUB_OUTPUT"
+          echo "Latest haybarn release: $REL"
+        env:
+          GH_TOKEN: ${{ github.token }}
+
   unit:
     strategy:
       fail-fast: false
@@ -37,9 +48,10 @@ jobs:
       - uses: actions/checkout@v4
       - uses: astral-sh/setup-uv@v6
       - name: Run unit tests
-        run: uv run --python 3.13 pytest tests/ -q
+        run: uv run --frozen --python 3.13 pytest tests/ -q
 
   integration:
+    needs: resolve-haybarn
     strategy:
       fail-fast: false
       matrix:
@@ -56,10 +68,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: astral-sh/setup-uv@v6
 
-      - name: Install the easter worker
-        run: |
-          uv venv --python 3.13 .venv
-          uv pip install --python .venv .
+      - name: Install the easter worker (from the lockfile)
+        run: uv sync --frozen --python 3.13
 
       - name: Download haybarn-unittest
         run: |
@@ -70,14 +80,14 @@ jobs:
           mkdir -p hb && unzip -o -q haybarn-unittest.zip -d hb
         env:
           GH_TOKEN: ${{ github.token }}
+          HAYBARN_RELEASE: ${{ needs.resolve-haybarn.outputs.release }}
 
       - name: Resolve runner + worker paths
         run: |
-          # The worker LOCATION is consumed by the (native) extension process,
-          # so on Windows it must be a native path to the .exe launcher; the
-          # unittest binary itself is exec'd by bash, so a POSIX path is fine.
           # Absolute paths: run-integration.sh cd's into a staging dir before
-          # invoking the runner, so a relative path would not resolve.
+          # invoking the runner, so relative paths would not resolve. The worker
+          # LOCATION is consumed by the (native) extension process, so on Windows
+          # it must be a native path to the .exe launcher.
           if [ "$RUNNER_OS" = "Windows" ]; then
             UNITTEST="$PWD/$(find hb -name 'haybarn-unittest.exe' -type f | head -1)"
             WORKER=$(cygpath -w "$PWD/.venv/Scripts/vgi-easter.exe")

.github/workflows/dependabot-auto-merge.yml

@@ -0,0 +1,41 @@
+# Copyright 2026 Query Farm LLC - https://query.farm
+#
+# Auto-merge Dependabot PRs once CI is green. Triggered by the CI workflow
+# *completing* (workflow_run), so the merge only happens after the unit +
+# extension suites pass on all three OSes — without requiring branch protection
+# (direct pushes to main keep working). Squash-merges and deletes the branch.
+name: Dependabot auto-merge
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    # Only for a successful CI run that was itself triggered by a Dependabot PR.
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      startsWith(github.event.workflow_run.head_branch, 'dependabot/')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Squash-merge the green Dependabot PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH: ${{ github.event.workflow_run.head_branch }}
+        run: |
+          PR=$(gh pr list --repo "$REPO" --head "$BRANCH" --state open \
+                 --json number,author \
+                 --jq '.[] | select(.author.login == "app/dependabot") | .number' | head -1)
+          if [ -z "$PR" ]; then
+            echo "No open Dependabot PR for $BRANCH — nothing to merge."
+            exit 0
+          fi
+          echo "Merging Dependabot PR #$PR ($BRANCH)"
+          gh pr merge "$PR" --repo "$REPO" --squash --delete-branch

CLAUDE.md

@@ -82,16 +82,14 @@ uv run --python 3.13 easter_worker.py
 # Run the HTTP server
 VGI_SIGNING_KEY=dev uv run --python 3.13 serve.py --host 0.0.0.0 --port 8000
 
-# Unit tests (pytest). vgi-python resolves from PyPI; -o "addopts=" guards
-# against any inherited pytest addopts.
-uv run --python 3.13 \
-  --with pytest --with vgi-python \
-  pytest tests/ --rootdir=. -o "addopts=" -q
+# Unit tests (pytest), installing exactly what uv.lock pins.
+uv run --frozen --python 3.13 pytest tests/ -q
 ```
 
-There is no `.venv` checked in (it's gitignored); the `uv run --with ...`
-invocation above resolves a throwaway environment. If you create a project venv,
-prefer `.venv/bin/pytest` over bare `pytest`.
+`uv.lock` is committed (dev/CI reproducibility + the Dependabot `uv` update
+target); it does not affect end users, who install via the `pyproject.toml`
+ranges. `.venv/` is gitignored. `uv sync --frozen --python 3.13` materialises
+the locked environment (and the `vgi-easter` console script) under `.venv/`.
 
 ## Testing
 
@@ -126,12 +124,17 @@ PyPI without a green extension run. See `ci/README.md`.
 
 ### CI / publishing
 
-- `.github/workflows/ci.yml` — unit tests + extension integration suite
-  (reusable via `workflow_call`).
+- `.github/workflows/ci.yml` — unit tests + extension integration suite on
+  Linux, macOS, and Windows (reusable via `workflow_call`). A `resolve-haybarn`
+  job picks the latest Haybarn release at run time (nothing pinned).
 - `.github/workflows/publish.yml` — on GitHub Release (or manual dispatch),
   runs `ci.yml` then `uv build && uv publish`. Token-based, no trusted
   publishing: needs the `PYPI_API_TOKEN` repo secret (passed as
   `UV_PUBLISH_TOKEN`).
+- `.github/dependabot.yml` — github-actions (weekly) + Python deps via `uv.lock`
+  (daily). `.github/workflows/dependabot-auto-merge.yml` squash-merges green
+  Dependabot PRs after CI passes (via `workflow_run`, so no branch protection is
+  required and direct pushes to `main` still work).
 
 ## ATTACH syntax
 

ci/README.md

@@ -38,23 +38,34 @@ extension from the Haybarn community channel:
 ## Run it locally
 
 ```bash
-uv venv .venv --python 3.13 && uv pip install --python .venv .
-gh release download haybarn-v1.5.3-rc10 --repo Query-farm-haybarn/haybarn \
+uv sync --frozen --python 3.13
+REL=$(gh release view --repo Query-farm-haybarn/haybarn --json tagName --jq .tagName)
+gh release download "$REL" --repo Query-farm-haybarn/haybarn \
   --pattern 'haybarn_unittest-osx-arm64.zip' --output /tmp/hb.zip --clobber
 unzip -o /tmp/hb.zip -d /tmp/hb
 HAYBARN_UNITTEST=/tmp/hb/haybarn-unittest \
 VGI_EASTER_WORKER="$PWD/.venv/bin/vgi-easter" \
   ci/run-integration.sh
 ```
 
-(Swap the asset pattern for your platform: `haybarn_unittest-linux-amd64.zip`
-on CI.)
+(Swap the asset pattern for your platform: `haybarn_unittest-linux-amd64.zip`,
+`haybarn_unittest-windows-amd64.zip`.)
 
-## Version pin (and its coupling)
+## Haybarn version (resolved, not pinned)
 
-`HAYBARN_RELEASE` in [`ci.yml`](../.github/workflows/ci.yml) pins the Haybarn
-release supplying `haybarn-unittest`; it must be ABI-compatible with the
-community-published `vgi` extension. The vgi extension is pulled live from the
+The `resolve-haybarn` job in [`ci.yml`](../.github/workflows/ci.yml) queries the
+**latest** published Haybarn release at run time and feeds that one tag to the
+whole matrix — nothing is hardcoded. The `vgi` extension is pulled live from the
 community channel (`INSTALL vgi FROM community`), which always serves the
-currently published build — so CI verifies the worker against what users can
-actually install today. Bump the pin deliberately and re-run the suite.
+currently published build, so CI verifies the worker against what users can
+actually install today. (The trade-off: a brand-new Haybarn release that isn't
+yet ABI-matched by the published `vgi` extension could break a run — that's the
+coupling to watch if the suite suddenly fails without a code change.)
+
+## Dependency updates
+
+[`.github/dependabot.yml`](../.github/dependabot.yml) keeps things current:
+`github-actions` weekly, and the Python deps (`vgi-python` / `vgi-rpc`, via
+`uv.lock`) **daily**. Green Dependabot PRs are squash-merged automatically by
+[`dependabot-auto-merge.yml`](../.github/workflows/dependabot-auto-merge.yml)
+after this CI workflow passes.