87 lines
4.6 KiB
Markdown
87 lines
4.6 KiB
Markdown
---
|
|
engine: devin
|
|
cwd: /Users/sd9235/code/mygh/learning_ai_common_plat
|
|
yolo: true
|
|
lock: common-plat-dependabot
|
|
timeout: 4h
|
|
---
|
|
|
|
ROLE: Senior platform engineer. TRIAGE the open Dependabot dependency-update PRs in
|
|
`learning_ai_common_plat`, verify each one builds + tests green against CURRENT main,
|
|
and MERGE only the safe ones. This is a maintenance sweep — be conservative: a green
|
|
verify gate is the bar for merging; anything that fails, conflicts, or is a risky major
|
|
bump gets left open with a clear note. NEVER weaken or skip a test to make a PR pass.
|
|
|
|
PARALLEL-SAFETY: Other Devins may be running in this repo and in learning_ai_devops_tools
|
|
on gigafactory `fleet` work. You touch ONLY dependency manifests + lockfile as Dependabot
|
|
already changed them — do NOT edit application source. If a Dependabot branch conflicts
|
|
with main on anything other than package.json / pnpm-lock.yaml, SKIP it (leave open, note
|
|
why) rather than hand-resolving source conflicts.
|
|
|
|
THE BRANCHES (each is one open PR, ahead of main by ~1 commit):
|
|
- dependabot/npm_and_yarn/azure/cosmos-4.9.2
|
|
- dependabot/npm_and_yarn/fastify/cors-11.2.0
|
|
- dependabot/npm_and_yarn/happy-dom-20.8.4
|
|
- dependabot/npm_and_yarn/jose-6.2.2
|
|
- dependabot/npm_and_yarn/lint-staged-16.4.0
|
|
- dependabot/npm_and_yarn/multi-6d7db9f379 (a grouped multi-package bump)
|
|
- dependabot/npm_and_yarn/react-dom-19.2.4
|
|
- dependabot/npm_and_yarn/stripe-20.4.1
|
|
- dependabot/npm_and_yarn/types/node-25.5.0
|
|
- dependabot/npm_and_yarn/typescript-eslint/parser-8.57.1
|
|
- dependabot/github_actions/actions/checkout-6
|
|
- dependabot/github_actions/actions/setup-node-6
|
|
- dependabot/github_actions/actions/setup-python-6
|
|
(Re-list with `git branch -r | grep dependabot` in case the set changed.)
|
|
|
|
PER-PR PROCEDURE (do each in an ISOLATED worktree off CURRENT origin/main so the main
|
|
checkout + other Devins are never disturbed):
|
|
1. `git fetch origin --prune`; create a temp worktree at origin/main; merge the dependabot
|
|
branch into it (`--no-commit --no-ff`).
|
|
- If the merge touches ANY file other than package.json / pnpm-lock.yaml /
|
|
.github/workflows/* -> ABORT, classify SKIP (unexpected scope), note it.
|
|
- If it conflicts -> ABORT, classify SKIP (conflicts main), note it.
|
|
2. Identify the bump TYPE from the version delta (semver): patch / minor / major.
|
|
3. Run the VERIFY GATE in the merged worktree:
|
|
- `pnpm install --frozen-lockfile` (must succeed with the bumped lockfile)
|
|
- `pnpm build`
|
|
- `pnpm test`
|
|
- For react-dom: also run the dashboards' web tests if they have their own suite.
|
|
- GitHub-actions bumps (checkout/setup-node/setup-python): no pnpm gate; just confirm
|
|
the workflow YAML still parses and the action major is supported by our runners.
|
|
4. CLASSIFY:
|
|
- MERGE if: scope is only manifests/lockfile/workflow, no conflicts, verify gate fully
|
|
green. (Patch/minor with green gate = merge. A MAJOR bump may merge ONLY if the gate
|
|
is green AND nothing in our code uses a removed/changed API — if unsure, HOLD.)
|
|
- HOLD (leave open) if: gate fails, major bump with any ambiguity, or behavioral risk
|
|
(e.g. stripe / jose / react-dom majors that need a human eye).
|
|
- SKIP if: conflicts main or touches unexpected files.
|
|
5. To MERGE: merge the branch into main with `--no-ff` (first parent = main), message
|
|
`chore(deps): <package> <old> -> <new> (#<pr>)`, push origin HEAD:main, then delete the
|
|
dependabot branch. Re-fetch main before the NEXT PR so each builds on the latest (avoids
|
|
lockfile churn between merges). Do the LOW-RISK ones first (types/node, lint-staged,
|
|
happy-dom, the actions bumps), majors last.
|
|
|
|
CONSTRAINTS: no app-source edits; never modify/skip tests; ESM repo conventions; conventional
|
|
commits (chore(deps): ...); do not touch the gigafactory `fleet` modules; do not delete
|
|
backup/* branches; leave the gigafactory + hermes branches alone. Stay entirely in isolated
|
|
worktrees; clean every worktree up afterward (`git worktree remove --force` + `prune`).
|
|
|
|
VERIFY GATE (per merged PR, must be green to merge):
|
|
- pnpm install --frozen-lockfile && pnpm build && pnpm test (no regression)
|
|
|
|
FINAL OUTPUT — report in EXACTLY this format:
|
|
## Dependency Triage Report — common-plat Dependabot
|
|
### Summary table
|
|
| PR / package | old -> new | bump | verify gate | decision |
|
|
(one row per branch: MERGE / HOLD / SKIP)
|
|
### Merged (pushed to main)
|
|
- <package> <old->new> (#pr) — commit <sha>
|
|
### Held open (with reason)
|
|
- <package> — <why: failing gate / major risk / needs human>
|
|
### Skipped (with reason)
|
|
- <package> — <conflicts main / unexpected scope>
|
|
### Verify gate results (build/test summary per merged PR)
|
|
### Branches deleted
|
|
### Anything that needs a human decision
|