ci: auto-format Dependabot PRs after dependency bumps#80
Conversation
Dependabot regenerates the lockfile on every bump, which can silently move the resolved prettier/eslint version within the existing semver range and reformat source files. Dependabot never runs project scripts and its commits bypass the husky/lint-staged pre-commit hook, so pnpm check fails on style even when no source was touched (e.g. PR #79, where prettier drifted 3.8.4 -> 3.9.4 and reformatted junitXmlParser.ts). This workflow reformats Dependabot PRs and pushes the fix back. A DEPENDABOT_AUTOFIX_TOKEN secret (PAT or GitHub App token) is needed so the pushed commit retriggers CI; it falls back to GITHUB_TOKEN otherwise. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Claude finished @satvik007's task in 1m 14s —— View job PR Review: ci: auto-format Dependabot PRs after dependency bumps
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9f91145a84
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # CI (commits pushed with the default GITHUB_TOKEN do NOT start new | ||
| # workflow runs, so the failing check would stay stale). Falls back to | ||
| # GITHUB_TOKEN — the fix still lands, but CI won't re-run on its own. | ||
| token: ${{ secrets.DEPENDABOT_AUTOFIX_TOKEN || secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Do not persist a write token before running PR code
When a Dependabot PR updates a package with an install-time script or malicious formatter/linter code, this checkout input is persisted by actions/checkout for later authenticated git commands by default (checkout docs), and the next steps run pnpm install, pnpm format, and pnpm lint:fix from that PR. GitHub keeps Dependabot-triggered workflows read-only by default specifically to protect against potentially malicious dependencies (GitHub changelog); using a write PAT/GitHub token here reintroduces that path, letting compromised dependency code exfiltrate the token or push arbitrary repository changes. Use read-only checkout/install credentials and inject the write token only in the final push step.
Useful? React with 👍 / 👎.

Problem
Dependabot regenerates the entire `pnpm-lock.yaml` on every bump. That can silently move the resolved version of a formatter/linter within the existing semver range, reformatting source files without any manifest change.
Concrete case — PR #79: it only bumps `globals` and `lint-staged` in `package.json`, but the lockfile regen moved prettier 3.8.4 → 3.9.4 (both satisfy `^3.4.2`). Prettier 3.9.4 reformats a union type in `src/utils/result-upload/parsers/junitXmlParser.ts`, so `pnpm check` → `prettier --check` fails even though Dependabot touched no source.
Dependabot never runs project scripts (`pnpm format`), and its commits are made via the API so they bypass the husky/lint-staged pre-commit hook. Nothing in the pipeline reformats source after a formatter bump.
Fix
A workflow that, on Dependabot `pull_request` events, runs `pnpm format` + `pnpm lint:fix` and pushes any resulting changes back to the PR branch.
Commits pushed with the default `GITHUB_TOKEN` do not trigger new workflow runs, so the failing `build` check would stay stale (red) even after the fix lands. To make CI re-run and go green, the push must use a PAT or GitHub App token:
The workflow falls back to `GITHUB_TOKEN` if the secret is absent — the formatting fix still lands, but CI won't automatically re-run.
Notes
🤖 Generated with Claude Code