Skip to content

ci: auto-format Dependabot PRs after dependency bumps#80

Open
satvik007 wants to merge 1 commit into
mainfrom
ci/dependabot-autoformat
Open

ci: auto-format Dependabot PRs after dependency bumps#80
satvik007 wants to merge 1 commit into
mainfrom
ci/dependabot-autoformat

Conversation

@satvik007

Copy link
Copy Markdown
Collaborator

Problem

Dependabot regenerates the entire `pnpm-lock.yaml` on every bump. That can silently move the resolved version of a formatter/linter within the existing semver range, reformatting source files without any manifest change.

Concrete case — PR #79: it only bumps `globals` and `lint-staged` in `package.json`, but the lockfile regen moved prettier 3.8.4 → 3.9.4 (both satisfy `^3.4.2`). Prettier 3.9.4 reformats a union type in `src/utils/result-upload/parsers/junitXmlParser.ts`, so `pnpm check` → `prettier --check` fails even though Dependabot touched no source.

Dependabot never runs project scripts (`pnpm format`), and its commits are made via the API so they bypass the husky/lint-staged pre-commit hook. Nothing in the pipeline reformats source after a formatter bump.

Fix

A workflow that, on Dependabot `pull_request` events, runs `pnpm format` + `pnpm lint:fix` and pushes any resulting changes back to the PR branch.

⚠️ Required setup — `DEPENDABOT_AUTOFIX_TOKEN` secret

Commits pushed with the default `GITHUB_TOKEN` do not trigger new workflow runs, so the failing `build` check would stay stale (red) even after the fix lands. To make CI re-run and go green, the push must use a PAT or GitHub App token:

  • Create a fine-grained PAT (or App installation token) with Contents: read/write on this repo.
  • Add it as a repo secret named `DEPENDABOT_AUTOFIX_TOKEN`.

The workflow falls back to `GITHUB_TOKEN` if the secret is absent — the formatting fix still lands, but CI won't automatically re-run.

Notes

🤖 Generated with Claude Code

Dependabot regenerates the lockfile on every bump, which can silently
move the resolved prettier/eslint version within the existing semver
range and reformat source files. Dependabot never runs project scripts
and its commits bypass the husky/lint-staged pre-commit hook, so
pnpm check fails on style even when no source was touched (e.g. PR #79,
where prettier drifted 3.8.4 -> 3.9.4 and reformatted junitXmlParser.ts).

This workflow reformats Dependabot PRs and pushes the fix back. A
DEPENDABOT_AUTOFIX_TOKEN secret (PAT or GitHub App token) is needed so
the pushed commit retriggers CI; it falls back to GITHUB_TOKEN otherwise.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@claude

claude Bot commented Jul 8, 2026

Copy link
Copy Markdown

Claude finished @satvik007's task in 1m 14s —— View job


PR Review: ci: auto-format Dependabot PRs after dependency bumps

  • Gather PR context and diff
  • Launch specialized review subagents
  • Aggregate findings and post review
  • Clean up outdated bot comments

Working on it…

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9f91145a84

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

# CI (commits pushed with the default GITHUB_TOKEN do NOT start new
# workflow runs, so the failing check would stay stale). Falls back to
# GITHUB_TOKEN — the fix still lands, but CI won't re-run on its own.
token: ${{ secrets.DEPENDABOT_AUTOFIX_TOKEN || secrets.GITHUB_TOKEN }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Do not persist a write token before running PR code

When a Dependabot PR updates a package with an install-time script or malicious formatter/linter code, this checkout input is persisted by actions/checkout for later authenticated git commands by default (checkout docs), and the next steps run pnpm install, pnpm format, and pnpm lint:fix from that PR. GitHub keeps Dependabot-triggered workflows read-only by default specifically to protect against potentially malicious dependencies (GitHub changelog); using a write PAT/GitHub token here reintroduces that path, letting compromised dependency code exfiltrate the token or push arbitrary repository changes. Use read-only checkout/install credentials and inject the write token only in the final push step.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant