docs(agent-queue): add Dependabot dependency-triage prompt for common-plat
This commit is contained in:
saravanakumardb1
parent
62c0cd60e0
commit
08d8d715a1
86
agent-queue/docs/jobs/dependabot-triage.md
Normal file
86
agent-queue/docs/jobs/dependabot-triage.md
Normal file
@ -0,0 +1,86 @@
|
||||
---
|
||||
engine: devin
|
||||
cwd: /Users/sd9235/code/mygh/learning_ai_common_plat
|
||||
yolo: true
|
||||
lock: common-plat-dependabot
|
||||
timeout: 4h
|
||||
---
|
||||
|
||||
ROLE: Senior platform engineer. TRIAGE the open Dependabot dependency-update PRs in
|
||||
`learning_ai_common_plat`, verify each one builds + tests green against CURRENT main,
|
||||
and MERGE only the safe ones. This is a maintenance sweep — be conservative: a green
|
||||
verify gate is the bar for merging; anything that fails, conflicts, or is a risky major
|
||||
bump gets left open with a clear note. NEVER weaken or skip a test to make a PR pass.
|
||||
|
||||
PARALLEL-SAFETY: Other Devins may be running in this repo and in learning_ai_devops_tools
|
||||
on gigafactory `fleet` work. You touch ONLY dependency manifests + lockfile as Dependabot
|
||||
already changed them — do NOT edit application source. If a Dependabot branch conflicts
|
||||
with main on anything other than package.json / pnpm-lock.yaml, SKIP it (leave open, note
|
||||
why) rather than hand-resolving source conflicts.
|
||||
|
||||
THE BRANCHES (each is one open PR, ahead of main by ~1 commit):
|
||||
- dependabot/npm_and_yarn/azure/cosmos-4.9.2
|
||||
- dependabot/npm_and_yarn/fastify/cors-11.2.0
|
||||
- dependabot/npm_and_yarn/happy-dom-20.8.4
|
||||
- dependabot/npm_and_yarn/jose-6.2.2
|
||||
- dependabot/npm_and_yarn/lint-staged-16.4.0
|
||||
- dependabot/npm_and_yarn/multi-6d7db9f379 (a grouped multi-package bump)
|
||||
- dependabot/npm_and_yarn/react-dom-19.2.4
|
||||
- dependabot/npm_and_yarn/stripe-20.4.1
|
||||
- dependabot/npm_and_yarn/types/node-25.5.0
|
||||
- dependabot/npm_and_yarn/typescript-eslint/parser-8.57.1
|
||||
- dependabot/github_actions/actions/checkout-6
|
||||
- dependabot/github_actions/actions/setup-node-6
|
||||
- dependabot/github_actions/actions/setup-python-6
|
||||
(Re-list with `git branch -r | grep dependabot` in case the set changed.)
|
||||
|
||||
PER-PR PROCEDURE (do each in an ISOLATED worktree off CURRENT origin/main so the main
|
||||
checkout + other Devins are never disturbed):
|
||||
1. `git fetch origin --prune`; create a temp worktree at origin/main; merge the dependabot
|
||||
branch into it (`--no-commit --no-ff`).
|
||||
- If the merge touches ANY file other than package.json / pnpm-lock.yaml /
|
||||
.github/workflows/* -> ABORT, classify SKIP (unexpected scope), note it.
|
||||
- If it conflicts -> ABORT, classify SKIP (conflicts main), note it.
|
||||
2. Identify the bump TYPE from the version delta (semver): patch / minor / major.
|
||||
3. Run the VERIFY GATE in the merged worktree:
|
||||
- `pnpm install --frozen-lockfile` (must succeed with the bumped lockfile)
|
||||
- `pnpm build`
|
||||
- `pnpm test`
|
||||
- For react-dom: also run the dashboards' web tests if they have their own suite.
|
||||
- GitHub-actions bumps (checkout/setup-node/setup-python): no pnpm gate; just confirm
|
||||
the workflow YAML still parses and the action major is supported by our runners.
|
||||
4. CLASSIFY:
|
||||
- MERGE if: scope is only manifests/lockfile/workflow, no conflicts, verify gate fully
|
||||
green. (Patch/minor with green gate = merge. A MAJOR bump may merge ONLY if the gate
|
||||
is green AND nothing in our code uses a removed/changed API — if unsure, HOLD.)
|
||||
- HOLD (leave open) if: gate fails, major bump with any ambiguity, or behavioral risk
|
||||
(e.g. stripe / jose / react-dom majors that need a human eye).
|
||||
- SKIP if: conflicts main or touches unexpected files.
|
||||
5. To MERGE: merge the branch into main with `--no-ff` (first parent = main), message
|
||||
`chore(deps): <package> <old> -> <new> (#<pr>)`, push origin HEAD:main, then delete the
|
||||
dependabot branch. Re-fetch main before the NEXT PR so each builds on the latest (avoids
|
||||
lockfile churn between merges). Do the LOW-RISK ones first (types/node, lint-staged,
|
||||
happy-dom, the actions bumps), majors last.
|
||||
|
||||
CONSTRAINTS: no app-source edits; never modify/skip tests; ESM repo conventions; conventional
|
||||
commits (chore(deps): ...); do not touch the gigafactory `fleet` modules; do not delete
|
||||
backup/* branches; leave the gigafactory + hermes branches alone. Stay entirely in isolated
|
||||
worktrees; clean every worktree up afterward (`git worktree remove --force` + `prune`).
|
||||
|
||||
VERIFY GATE (per merged PR, must be green to merge):
|
||||
- pnpm install --frozen-lockfile && pnpm build && pnpm test (no regression)
|
||||
|
||||
FINAL OUTPUT — report in EXACTLY this format:
|
||||
## Dependency Triage Report — common-plat Dependabot
|
||||
### Summary table
|
||||
| PR / package | old -> new | bump | verify gate | decision |
|
||||
(one row per branch: MERGE / HOLD / SKIP)
|
||||
### Merged (pushed to main)
|
||||
- <package> <old->new> (#pr) — commit <sha>
|
||||
### Held open (with reason)
|
||||
- <package> — <why: failing gate / major risk / needs human>
|
||||
### Skipped (with reason)
|
||||
- <package> — <conflicts main / unexpected scope>
|
||||
### Verify gate results (build/test summary per merged PR)
|
||||
### Branches deleted
|
||||
### Anything that needs a human decision
|
||||
Loading…
Reference in New Issue
Block a user