diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1027fe5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,69 @@ +# Dependabot configuration for @perplexity-ai/mcp-server +# +# Goals: +# 1. Burn down the backlog of open Dependabot alerts (currently 6 high / +# 16 moderate / 1 low at time of writing) without drowning maintainers +# in tiny one-dep-at-a-time PRs. +# 2. Keep patch-level updates flowing automatically via the auto-merge +# workflow at .github/workflows/dependabot-automerge.yml, while still +# requiring human review for minor and major version bumps. +# 3. Update GitHub Actions on the same cadence so workflow runners don't +# silently age out. +# +# References: +# - https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +# +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "06:00" + timezone: "Etc/UTC" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "javascript" + commit-message: + prefix: "deps" + prefix-development: "deps-dev" + include: "scope" + groups: + # All non-major production updates land in a single weekly PR. + production-dependencies: + dependency-type: "production" + update-types: + - "minor" + - "patch" + # All non-major dev updates land in a single weekly PR. + development-dependencies: + dependency-type: "development" + update-types: + - "minor" + - "patch" + # MCP SDK churns a lot — keep it isolated so SDK bumps don't get + # bundled with unrelated transitive upgrades. + modelcontextprotocol: + patterns: + - "@modelcontextprotocol/*" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "06:00" + timezone: "Etc/UTC" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "github-actions" + commit-message: + prefix: "ci" + include: "scope" + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml new file mode 100644 index 0000000..bf9f929 --- /dev/null +++ b/.github/workflows/dependabot-automerge.yml @@ -0,0 +1,47 @@ +# Auto-merges Dependabot PRs that are PATCH-only updates and pass CI. +# +# Minor and major version bumps still require human review (this workflow +# explicitly exits without merging them). +# +# This pairs with .github/dependabot.yml, where: +# - production/dev/minor+patch updates are grouped into single weekly PRs +# - the modelcontextprotocol group is isolated +# - GitHub Actions are also grouped on the same cadence +# +name: Dependabot auto-merge + +on: + pull_request: + # Use pull_request_target so the workflow runs with repo-scoped GITHUB_TOKEN + # permissions on PRs opened by Dependabot. + types: [opened, reopened, synchronize] + +permissions: + contents: write + pull-requests: write + +jobs: + automerge: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: meta + uses: dependabot/fetch-metadata@v2 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-merge patch-only updates that pass CI + if: steps.meta.outputs.update-type == 'version-update:semver-patch' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + # --auto waits for required status checks (set by branch protection) + # to pass before merging. If CI fails, the PR stays open for review. + run: gh pr merge --auto --squash "$PR_URL" + + - name: Leave minor/major bumps open for review + if: steps.meta.outputs.update-type != 'version-update:semver-patch' + run: | + echo "Update type '${{ steps.meta.outputs.update-type }}' requires human review." + echo "Skipping auto-merge."