bytelyst/bytelyst-devops-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
08d8d715a1
bytelyst-devops-tools/agent-queue/docs/jobs/dependabot-triage.md

4.6 KiB
Raw Blame History

engine cwd yolo lock timeout
devin /Users/sd9235/code/mygh/learning_ai_common_plat true common-plat-dependabot 4h

ROLE: Senior platform engineer. TRIAGE the open Dependabot dependency-update PRs in learning_ai_common_plat, verify each one builds + tests green against CURRENT main, and MERGE only the safe ones. This is a maintenance sweep — be conservative: a green verify gate is the bar for merging; anything that fails, conflicts, or is a risky major bump gets left open with a clear note. NEVER weaken or skip a test to make a PR pass.

PARALLEL-SAFETY: Other Devins may be running in this repo and in learning_ai_devops_tools on gigafactory fleet work. You touch ONLY dependency manifests + lockfile as Dependabot already changed them — do NOT edit application source. If a Dependabot branch conflicts with main on anything other than package.json / pnpm-lock.yaml, SKIP it (leave open, note why) rather than hand-resolving source conflicts.

THE BRANCHES (each is one open PR, ahead of main by ~1 commit):

  • dependabot/npm_and_yarn/azure/cosmos-4.9.2
  • dependabot/npm_and_yarn/fastify/cors-11.2.0
  • dependabot/npm_and_yarn/happy-dom-20.8.4
  • dependabot/npm_and_yarn/jose-6.2.2
  • dependabot/npm_and_yarn/lint-staged-16.4.0
  • dependabot/npm_and_yarn/multi-6d7db9f379 (a grouped multi-package bump)
  • dependabot/npm_and_yarn/react-dom-19.2.4
  • dependabot/npm_and_yarn/stripe-20.4.1
  • dependabot/npm_and_yarn/types/node-25.5.0
  • dependabot/npm_and_yarn/typescript-eslint/parser-8.57.1
  • dependabot/github_actions/actions/checkout-6
  • dependabot/github_actions/actions/setup-node-6
  • dependabot/github_actions/actions/setup-python-6 (Re-list with git branch -r | grep dependabot in case the set changed.)

PER-PR PROCEDURE (do each in an ISOLATED worktree off CURRENT origin/main so the main checkout + other Devins are never disturbed):

  1. git fetch origin --prune; create a temp worktree at origin/main; merge the dependabot branch into it (--no-commit --no-ff).
    • If the merge touches ANY file other than package.json / pnpm-lock.yaml / .github/workflows/* -> ABORT, classify SKIP (unexpected scope), note it.
    • If it conflicts -> ABORT, classify SKIP (conflicts main), note it.
  2. Identify the bump TYPE from the version delta (semver): patch / minor / major.
  3. Run the VERIFY GATE in the merged worktree:
    • pnpm install --frozen-lockfile (must succeed with the bumped lockfile)
    • pnpm build
    • pnpm test
    • For react-dom: also run the dashboards' web tests if they have their own suite.
    • GitHub-actions bumps (checkout/setup-node/setup-python): no pnpm gate; just confirm the workflow YAML still parses and the action major is supported by our runners.
  4. CLASSIFY:
    • MERGE if: scope is only manifests/lockfile/workflow, no conflicts, verify gate fully green. (Patch/minor with green gate = merge. A MAJOR bump may merge ONLY if the gate is green AND nothing in our code uses a removed/changed API — if unsure, HOLD.)
    • HOLD (leave open) if: gate fails, major bump with any ambiguity, or behavioral risk (e.g. stripe / jose / react-dom majors that need a human eye).
    • SKIP if: conflicts main or touches unexpected files.
  5. To MERGE: merge the branch into main with --no-ff (first parent = main), message chore(deps): <package> <old> -> <new> (#<pr>), push origin HEAD:main, then delete the dependabot branch. Re-fetch main before the NEXT PR so each builds on the latest (avoids lockfile churn between merges). Do the LOW-RISK ones first (types/node, lint-staged, happy-dom, the actions bumps), majors last.

CONSTRAINTS: no app-source edits; never modify/skip tests; ESM repo conventions; conventional commits (chore(deps): ...); do not touch the gigafactory fleet modules; do not delete backup/* branches; leave the gigafactory + hermes branches alone. Stay entirely in isolated worktrees; clean every worktree up afterward (git worktree remove --force + prune).

VERIFY GATE (per merged PR, must be green to merge):

  • pnpm install --frozen-lockfile && pnpm build && pnpm test (no regression)

FINAL OUTPUT — report in EXACTLY this format:

Dependency Triage Report — common-plat Dependabot

Summary table

| PR / package | old -> new | bump | verify gate | decision | (one row per branch: MERGE / HOLD / SKIP)

Merged (pushed to main)

  • new> (#pr) — commit

Held open (with reason)

  • — <why: failing gate / major risk / needs human>

Skipped (with reason)

  • — <conflicts main / unexpected scope>

Verify gate results (build/test summary per merged PR)

Branches deleted

Anything that needs a human decision