Tracking issue for verifying the changes in #36 once they're merged and repo settings are flipped. The work cannot be tested on the PR itself — it requires a real Dependabot PR cycle to observe.
Repo settings to flip (one-time)
Verifications on the next Dependabot PR cycle
Notes on the stale PRs
PRs #31–#34 (astro, puppeteer, tailwindcss, shadcn) were opened before this change and won't retroactively pick up cooldown rules. They will pick up the auto-merge workflow once they re-trigger (e.g. on a rebase or new push) — or they can just be merged manually.
PRs #22 and #18 (content PRs predating the OSV-Scanner workflow) will now be blocked by the new scan-pr / osv-scan required check until they're rebased onto main (or you push a no-op commit to re-trigger CI).
Tracking issue for verifying the changes in #36 once they're merged and repo settings are flipped. The work cannot be tested on the PR itself — it requires a real Dependabot PR cycle to observe.
Repo settings to flip (one-time)
gh api ... -F allow_auto_merge=truewritewithcan_approve_pull_request_reviews: truemain→ Require status checks —scan-pr / osv-scanadded to existing required checks (Build,Spell check,Lighthouse audit).strict: false, no required reviews, no admin enforcement — compatible with Dependabot auto-merge.Verifications on the next Dependabot PR cycle
cooldown— no PRs opened for releases younger than the per-semver thresholds (npm: 1d patch / 3d minor / 7d major).Dependabot auto-merge / Enable auto-merge for patch/minorjob runs and GitHub displays "Auto-merge enabled" on the PR.OSV-Scanner / scan-prruns and reports green on a clean PR.Notes on the stale PRs
PRs #31–#34 (astro, puppeteer, tailwindcss, shadcn) were opened before this change and won't retroactively pick up cooldown rules. They will pick up the auto-merge workflow once they re-trigger (e.g. on a rebase or new push) — or they can just be merged manually.
PRs #22 and #18 (content PRs predating the OSV-Scanner workflow) will now be blocked by the new
scan-pr / osv-scanrequired check until they're rebased onto main (or you push a no-op commit to re-trigger CI).