Skip to content

fix(ci): prevent spurious Dependabot PR failures from auto-approve and @types/vscode bumps#143

Merged
patchloom-release[bot] merged 2 commits into
mainfrom
fix/dependabot-auto-approve
Jun 22, 2026
Merged

fix(ci): prevent spurious Dependabot PR failures from auto-approve and @types/vscode bumps#143
patchloom-release[bot] merged 2 commits into
mainfrom
fix/dependabot-auto-approve

Conversation

@SebTardif

Copy link
Copy Markdown
Contributor

Problem

Dependabot PRs were consistently showing as failing / not auto-merging:

Root causes

  1. auto-approve.yml included dependabot[bot]. This workflow triggers on pull_request.
    Dependabot pull_request runs receive no repository secrets/vars ("Secret source: Dependabot").
    The actions/create-github-app-token step always failed with:

    The 'private-key' input must be set to a non-empty string.

    This left a permanent failing status check named "auto-approve" on all Dependabot PRs.

  2. dependabot-auto-merge.yml (the working one, on pull_request_target) already handled approval + gh pr merge --auto --squash for patch/minor.

    • @types/node 25→26 and actions/checkout 6→7 were classified semver-major → intentionally skipped (manual review).
    • @types/vscode 1.120→1.125 was semver-minor but produced:

      @types/vscode ^1.125.0 greater than engines.vscode ^1.90.0

    (vsce enforces this.)

Changes

  • Remove dependabot[bot] from the actor list in auto-approve.yml. Only SebTardif + release bot go through it now.
  • Add @types/vscode to the npm ignore list in dependabot.yml with explanation.
  • New Dependabot PRs will no longer run the broken job or receive breaking @types/vscode bumps.
  • Updated internal contrib notes.

Dependabot will remain automatic for true patch/minor updates that don't violate engine constraints. Majors (per Dependabot metadata) continue to require manual review per existing policy.

…es/vscode

- Remove dependabot[bot] from auto-approve.yml condition. That workflow
  runs on pull_request (no secrets for Dependabot) and always failed the
  create-github-app-token step, producing a permanent red 'auto-approve'
  check on every Dependabot PR.
- Dependabot approval + auto-merge (patch/minor) is already handled by
  the dedicated dependabot-auto-merge.yml on pull_request_target.
- Add @types/vscode to dependabot ignore for npm. vsce package enforces
  that the @types/vscode version must not exceed engines.vscode. Bumps
  produced failing 'build' jobs (package step).
- New Dependabot PRs will no longer have spurious failures. Majors still
  require manual review per existing policy.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
github-actions[bot]
github-actions Bot previously approved these changes Jun 22, 2026
@patchloom-release patchloom-release Bot enabled auto-merge (squash) June 22, 2026 15:03
The previous dynamic fetch of 'latest' via unauthenticated GitHub API
was brittle:
- Rate limits (60/hr unauth) often return error JSON instead of release.
- grep/cut produces empty GITLEAKS_VERSION.
- Download URL becomes invalid → 404 + tar failure.

This caused the 'Gitleaks secret detection' job to fail on PR #143
(even though the PR changes are unrelated to secrets scanning).

Fix: pin to a recent stable release (8.30.1) with comment for future
updates. This is consistent with how other tools/actions are handled
in the repo.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif

Copy link
Copy Markdown
Contributor Author

Update: The failure on this PR was not caused by the Dependabot fixes.

What failed

  • All relevant checks passed: full ci matrix (unit + integration + build), DCO, auto-approve (now correctly skips for non-dependabot), CodeQL, etc.
  • Only red: Gitleaks secret detection (in the security workflow).

Root cause

The gitleaks job used a very brittle install:

GITLEAKS_VERSION=$(curl -s https://api.github.com/.../releases/latest | grep tag_name | cut ... | sed 's/v//')
curl .../v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz ...
  • No GITHUB_TOKEN → unauthenticated rate limit (60 req/hour).
  • When rate limited (or transient), the API returns an error object instead of the release JSON.
  • grep produces an empty version string.
  • Download URL becomes invalid → 404 → tar fails.

This is pre-existing (unrelated to the two files changed in the original commit). It happened to flake on this run.

Fix pushed

  • Added commit pinning Gitleaks to 8.30.1 (current latest) with a comment.
  • This is the same pattern used for other pinned tools/actions in the repo.
  • New push to the branch (fix/dependabot-auto-approve) will trigger fresh runs.

Once the new security run completes it should be green. The Dependabot-related changes themselves are working (note that "auto-approve" now succeeds cleanly on this non-Dependabot PR, and Dependabot PRs going forward won't get the spurious failure).

The original two changes remain:

  • Stop running the secret-requiring auto-approve logic for dependabot[bot].
  • Ignore @types/vscode in Dependabot (prevents engine vs types version mismatches that break vsce package).

Ready for merge after the re-run is clean.

@patchloom-release patchloom-release Bot merged commit 3b50515 into main Jun 22, 2026
19 checks passed
@patchloom-release patchloom-release Bot deleted the fix/dependabot-auto-approve branch June 22, 2026 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant