From 2bf3c40be82e7e880a9ebdb1351952808a06f0d2 Mon Sep 17 00:00:00 2001 From: James Liounis Date: Tue, 19 May 2026 13:58:25 +0000 Subject: [PATCH] ci: add grouped Dependabot config + patch-only auto-merge workflow Burns down the current Dependabot alert backlog (6 high / 16 moderate / 1 low at the time of writing) without drowning maintainers in tiny one-dep-at-a-time PRs. .github/dependabot.yml ---------------------- - New file. Configures weekly npm + github-actions updates. - Groups production minor+patch into a single weekly PR. - Groups dev minor+patch into a single weekly PR. - Keeps @modelcontextprotocol/* in its own group so SDK churn doesn't get bundled with unrelated transitive upgrades. - Groups all github-actions bumps together. - open-pull-requests-limit: 10 for npm, 5 for actions. - Conventional-commit prefixes: "deps", "deps-dev", "ci". - Labels: dependencies + javascript / github-actions. .github/workflows/dependabot-automerge.yml ------------------------------------------ - New file. Auto-merges Dependabot PRs that are PATCH-only updates AND pass CI (via `gh pr merge --auto`, which waits for required status checks set by branch protection). - Minor and major bumps explicitly stay open for human review and log why they were skipped. - Uses dependabot/fetch-metadata@v2 to classify update-type. - Permissions are scoped to contents:write and pull-requests:write on PRs opened by the dependabot[bot] actor only. What this PR intentionally does NOT do -------------------------------------- - Does not bump @modelcontextprotocol/sdk or other deps directly. The audit found that bumping the SDK does not actually clear the current transitive alerts upstream, so a blind bump is churn without security gain. Let the new grouped Dependabot land the bumps that genuinely move the needle on its first weekly run. - Does not enable required status checks on `main`. That requires repo settings access and should be confirmed with maintainers before turning on (otherwise `--auto` falls back to immediate merge, which we do not want). Pre-merge checklist for maintainers ----------------------------------- 1. Confirm branch protection on `main` requires the `test` job from .github/workflows/test.yml before merge \u2014 this is what makes `gh pr merge --auto` actually wait for CI. 2. Confirm that Dependabot has access to the `dependencies`, `javascript`, and `github-actions` labels (auto-created on first use if not). Tests ----- Both YAML files validate against PyYAML's safe_load. No application code changes; nothing to run via npm test or npm run build. --- .github/dependabot.yml | 69 ++++++++++++++++++++++ .github/workflows/dependabot-automerge.yml | 47 +++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependabot-automerge.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1027fe5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,69 @@ +# Dependabot configuration for @perplexity-ai/mcp-server +# +# Goals: +# 1. Burn down the backlog of open Dependabot alerts (currently 6 high / +# 16 moderate / 1 low at time of writing) without drowning maintainers +# in tiny one-dep-at-a-time PRs. +# 2. Keep patch-level updates flowing automatically via the auto-merge +# workflow at .github/workflows/dependabot-automerge.yml, while still +# requiring human review for minor and major version bumps. +# 3. Update GitHub Actions on the same cadence so workflow runners don't +# silently age out. +# +# References: +# - https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file +# +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "06:00" + timezone: "Etc/UTC" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "javascript" + commit-message: + prefix: "deps" + prefix-development: "deps-dev" + include: "scope" + groups: + # All non-major production updates land in a single weekly PR. + production-dependencies: + dependency-type: "production" + update-types: + - "minor" + - "patch" + # All non-major dev updates land in a single weekly PR. + development-dependencies: + dependency-type: "development" + update-types: + - "minor" + - "patch" + # MCP SDK churns a lot — keep it isolated so SDK bumps don't get + # bundled with unrelated transitive upgrades. + modelcontextprotocol: + patterns: + - "@modelcontextprotocol/*" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "06:00" + timezone: "Etc/UTC" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "github-actions" + commit-message: + prefix: "ci" + include: "scope" + groups: + github-actions: + patterns: + - "*" diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml new file mode 100644 index 0000000..bf9f929 --- /dev/null +++ b/.github/workflows/dependabot-automerge.yml @@ -0,0 +1,47 @@ +# Auto-merges Dependabot PRs that are PATCH-only updates and pass CI. +# +# Minor and major version bumps still require human review (this workflow +# explicitly exits without merging them). +# +# This pairs with .github/dependabot.yml, where: +# - production/dev/minor+patch updates are grouped into single weekly PRs +# - the modelcontextprotocol group is isolated +# - GitHub Actions are also grouped on the same cadence +# +name: Dependabot auto-merge + +on: + pull_request: + # Use pull_request_target so the workflow runs with repo-scoped GITHUB_TOKEN + # permissions on PRs opened by Dependabot. + types: [opened, reopened, synchronize] + +permissions: + contents: write + pull-requests: write + +jobs: + automerge: + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - name: Fetch Dependabot metadata + id: meta + uses: dependabot/fetch-metadata@v2 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-merge patch-only updates that pass CI + if: steps.meta.outputs.update-type == 'version-update:semver-patch' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_URL: ${{ github.event.pull_request.html_url }} + # --auto waits for required status checks (set by branch protection) + # to pass before merging. If CI fails, the PR stays open for review. + run: gh pr merge --auto --squash "$PR_URL" + + - name: Leave minor/major bumps open for review + if: steps.meta.outputs.update-type != 'version-update:semver-patch' + run: | + echo "Update type '${{ steps.meta.outputs.update-type }}' requires human review." + echo "Skipping auto-merge."