Skip to content

Verify Dependabot cooldown + auto-merge + OSV-Scanner in production #37

Description

@viniciusdc

Tracking issue for verifying the changes in #36 once they're merged and repo settings are flipped. The work cannot be tested on the PR itself — it requires a real Dependabot PR cycle to observe.

Repo settings to flip (one-time)

  • Settings → General → Pull Requests → Allow auto-merge — enabled via gh api ... -F allow_auto_merge=true
  • Settings → Actions → General → Workflow permissions → Read and write permissions — already write with can_approve_pull_request_reviews: true
  • Settings → Branches → branch protection on main → Require status checksscan-pr / osv-scan added to existing required checks (Build, Spell check, Lighthouse audit). strict: false, no required reviews, no admin enforcement — compatible with Dependabot auto-merge.

Verifications on the next Dependabot PR cycle

  • Next Dependabot run honors cooldown — no PRs opened for releases younger than the per-semver thresholds (npm: 1d patch / 3d minor / 7d major).
  • On the first patch/minor PR opened after settings are flipped: Dependabot auto-merge / Enable auto-merge for patch/minor job runs and GitHub displays "Auto-merge enabled" on the PR.
  • On the first major PR opened: the auto-merge job runs but does NOT enable auto-merge (skip step is the only step that fires).
  • OSV-Scanner / scan-pr runs and reports green on a clean PR.
  • Once a patch/minor PR has all checks green, it merges automatically without manual intervention.

Notes on the stale PRs

PRs #31#34 (astro, puppeteer, tailwindcss, shadcn) were opened before this change and won't retroactively pick up cooldown rules. They will pick up the auto-merge workflow once they re-trigger (e.g. on a rebase or new push) — or they can just be merged manually.

PRs #22 and #18 (content PRs predating the OSV-Scanner workflow) will now be blocked by the new scan-pr / osv-scan required check until they're rebased onto main (or you push a no-op commit to re-trigger CI).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions