Skip to content

ci(deps): allow trusted-namespace majors in auto-merge#17

Merged
smartwatermelon merged 2 commits into
mainfrom
claude/dependabot-auto-merge-c2-rollout
Apr 28, 2026
Merged

ci(deps): allow trusted-namespace majors in auto-merge#17
smartwatermelon merged 2 commits into
mainfrom
claude/dependabot-auto-merge-c2-rollout

Conversation

@smartwatermelon
Copy link
Copy Markdown
Owner

@smartwatermelon smartwatermelon commented Apr 28, 2026

Summary

  • New policy step in dependabot-auto-merge.yml that admits major-version Dependabot PRs only when every dep in dependency-names is in dependabot/, actions/, or smartwatermelon/.
  • Patch/minor unchanged (always allowed).
  • The major-vs-patch decision is now computed from previous-version / new-version directly, not update-type. On 2026-04-28 fetch-metadata@v2 mislabeled a 2.0.1 → 3.0.0 reusable-workflow bump as semver-patch, so we trust the version math instead of the label.
  • Fails closed on empty dependency-names for a major bump (adversarial-review catch).

Plan

docs/plans/2026-04-28-dependabot-auto-merge-c2.md

Test plan

  • YAML parses cleanly
  • Policy logic unit-tested against 11 cases (patch, minor, major-trusted, major-untrusted, grouped-mixed, mislabel case, unparseable versions, v-prefix, empty deps)
  • After merge: re-trigger smartwatermelon/dev-env#16 (dependabot/fetch-metadata 2 → 3); confirm it auto-merges. This validates the trusted-major path end-to-end before Phase 4 propagation to the other 15 repos.

🤖 Generated with Claude Code

smartwatermelon and others added 2 commits April 28, 2026 15:28
@smartwatermelon @claude
ci(deps): allow trusted-namespace majors in auto-merge
d61b591 
Adds a policy step that admits major-version Dependabot PRs only when
every listed dependency belongs to dependabot/, actions/, or
smartwatermelon/ namespaces. Patch/minor remain always-allowed.

The major decision is computed from previous-version vs new-version
rather than trusting steps.metadata.outputs.update-type. On 2026-04-28,
fetch-metadata@v2 mislabeled a 2.0.1 -> 3.0.0 reusable-workflow bump
as semver-patch (verified in run logs), allowing the existing
patch-only gate to admit a major. The new step compares the leading
integer of each version string and treats any difference as major.

Fails closed when dependency-names is empty on a major bump
(adversarial-review catch — without the dep list, the namespace
allowlist cannot be applied, so we cannot grant auto-merge).

Includes the docs/plans/ rollout plan and unit-tested policy logic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@smartwatermelon
Merge branch 'main' into claude/dependabot-auto-merge-c2-rollout
7966916
@smartwatermelon smartwatermelon merged commit 7b1d3d5 into main Apr 28, 2026
2 checks passed
@smartwatermelon smartwatermelon deleted the claude/dependabot-auto-merge-c2-rollout branch April 28, 2026 22:33
This was referenced Apr 28, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smartwatermelon