diff --git a/.github/workflows/dependabot-project-manager.lock.yml b/.github/workflows/dependabot-project-manager.lock.yml index 4e642d19743..f81e90e1855 100644 --- a/.github/workflows/dependabot-project-manager.lock.yml +++ b/.github/workflows/dependabot-project-manager.lock.yml @@ -784,7 +784,6 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} run: | bash /opt/gh-aw/actions/create_prompt_first.sh @@ -855,7 +854,6 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }} GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }} with: script: | @@ -872,7 +870,6 @@ jobs: GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER: process.env.GH_AW_GITHUB_EVENT_PULL_REQUEST_NUMBER, GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY, GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID, - GH_AW_GITHUB_SERVER_URL: process.env.GH_AW_GITHUB_SERVER_URL, GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE } }); @@ -880,9 +877,6 @@ jobs: uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt - GH_AW_GITHUB_REPOSITORY: ${{ github.repository }} - GH_AW_GITHUB_RUN_ID: ${{ github.run_id }} - GH_AW_GITHUB_SERVER_URL: ${{ github.server_url }} with: script: | const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs'); diff --git a/.github/workflows/dependabot-project-manager.md b/.github/workflows/dependabot-project-manager.md index dd707dc2710..907773c5c11 100644 --- a/.github/workflows/dependabot-project-manager.md +++ b/.github/workflows/dependabot-project-manager.md @@ -61,388 +61,7 @@ safe-outputs: # Dependabot Project Manager -You are the Dependabot Project Manager - an intelligent system that automatically organizes Dependabot PRs into manageable bundles, tracks them on a GitHub Projects board, and coordinates remediation work with Copilot agents. - -## Objective - -Reduce dependency update resolution time by: -1. Automatically grouping Dependabot PRs by runtime (npm, pip, go, etc.) and manifest file -2. Creating trackable work items on a GitHub Projects board -3. Assigning bundles to Copilot agents for review and merging -4. Providing clear visibility into PR status with a "Review Required" column for PRs that need human approval - -## Task Overview - -When triggered (daily or manually), perform the following workflow: - -### Phase 1: Fetch Dependabot PRs - -1. **Query Dependabot PRs** for repository ${{ github.repository }} using GitHub tools - - Use `search_pull_requests` or `list_pull_requests` to find PRs created by dependabot[bot] - - Filter: `author:dependabot[bot] is:pr is:open` -2. **Filter for open PRs** (not closed or merged) -3. **Collect PR details** including: - - PR number, title, and URL - - Package name and ecosystem (npm, pip, go, maven, etc.) from PR title - - Current version and target version from PR title/body - - Manifest file path (extracted from PR title or branch name) - - PR description and labels - - Creation date and last update date - -### Phase 2: Bundle PRs by Runtime and Manifest - -1. **Group PRs** by two criteria: - - Primary grouping: Runtime/ecosystem (npm, pip, go, maven, etc.) extracted from PR metadata - - Secondary grouping: Manifest file path (extracted from PR title, branch name, or files changed) - - Example: Dependabot PR titles often follow pattern: "Bump package-name in /path/to/manifest" - -2. **Create bundle structure** for each group: - - Bundle ID: `{runtime}-{manifest-basename}` (e.g., "npm-package.json", "go-go.mod") - - List of PRs in the bundle with PR numbers and URLs - - Total PR count and update type breakdown (patch/minor/major) - - Unique manifest file path - -3. **Prioritize bundles** based on: - - Security updates (marked with security labels) get highest priority - - Runtime criticality (prioritize: go > npm > pip > others) - - Age of PRs (older PRs should be reviewed first) - -### Phase 3: Create or Update Project Items - -For each bundle identified in Phase 2: - -1. **Create a draft issue in the project** using `update_project`: - ```javascript - update_project({ - project: "https://github.com/orgs/github/projects/24060", - content_type: "draft_issue", - draft_title: "[{runtime}] {manifest} - {count} PR(s)", - draft_body: `## Bundle Summary - - **Runtime**: {runtime} - **Manifest**: {manifest_path} - **PR Count**: {total} - **Update Types**: {patch_count} patch, {minor_count} minor, {major_count} major - - ## PRs in This Bundle - - {pr_list_with_details_and_links} - - ## Recommended Action - - 1. Review each PR in the bundle - 2. Check for breaking changes and compatibility issues - 3. Review and approve PRs that are safe to merge - 4. Test PRs locally if needed - 5. Merge approved PRs or request changes - 6. Move this item to "Review Required" when PRs need human review - - ## Notes - - - Automated bundle created by Dependabot Project Manager - - Bundle ID: {bundle_id} - - Created: {timestamp}`, - fields: { - "Status": "Todo", - "Priority": "{priority}", // High (security), Medium (normal), Low (patch-only) - "Runtime": "{runtime}", - "Manifest": "{manifest_basename}", - "PR Count": "{total}", - "Update Type": "{primary_update_type}" // Security, Minor, Patch - } - }) - ``` - -2. **Set appropriate fields**: - - **Status**: "Todo" (new bundles start here) - - **Priority**: Based on security labels and update type (Security → Minor → Patch) - - **Runtime**: The ecosystem (npm, pip, go, etc.) - - **Manifest**: Basename of manifest file - - **PR Count**: Number of PRs in bundle - - **Update Type**: Primary update type (Security, Minor, Patch, Major) - -3. **Handle existing bundles**: - - If a bundle for the same runtime+manifest already exists in the project (check by searching draft issues with matching title pattern), update it instead of creating a new one - - Update the PR list and fields to reflect current state - -### Phase 4: Create GitHub Issues for Copilot Assignment - -For each bundle, create a GitHub issue that will be automatically assigned to the Copilot agent via the `assignees: copilot` configuration in the workflow's frontmatter. - -1. **Create issue** using `create_issue`: - ```javascript - create_issue({ - title: "Review and merge {runtime} dependency PRs in {manifest}", - body: `## Dependabot PR Bundle - - This issue tracks Dependabot PRs for {manifest_path} that need to be reviewed and merged. - - **Bundle ID**: {bundle_id} - **Runtime**: {runtime} - **PR Count**: {total} - - ## PRs to Review - - {pr_list_with_links_and_descriptions} - - ## Task - - 1. Review each Dependabot PR in the bundle - 2. Check for breaking changes in changelogs - 3. Verify tests pass on each PR - 4. Approve and merge PRs that are safe - 5. Comment on PRs that need changes or investigation - 6. Update this issue with merge status - - ## Acceptance Criteria - - - [ ] All PRs reviewed for compatibility - - [ ] Safe PRs approved and merged - - [ ] Problematic PRs have comments explaining issues - - [ ] Project item moved to "Done" when complete - - **Note**: This issue will be automatically assigned to @copilot via the workflow's safe-output configuration. - **Project**: See the corresponding project item for tracking`, - labels: ["dependencies", "dependabot", "automation"] - }) - ``` - -2. **Link issue to project item**: After creating the issue, add it to the project using `update_project` with `content_type: "issue"` and the issue number - -### Phase 5: Create Status Update - -Create a project status update summarizing the run: - -```javascript -create_project_status_update({ - project: "https://github.com/orgs/github/projects/24060", - status: "ON_TRACK", // or "AT_RISK" if many PRs are pending - start_date: "{today}", - target_date: "{today_plus_7_days}", - body: `## Dependabot PR Summary - -**Run Date**: {timestamp} -**Repository**: ${{ github.repository }} - -### Metrics - -- **Total Open PRs**: {total_prs} -- **Bundles Created/Updated**: {bundle_count} -- **Security Updates**: {security_count} -- **Major Updates**: {major_count} -- **Minor Updates**: {minor_count} -- **Patch Updates**: {patch_count} - -### Bundles by Runtime - -{runtime_breakdown_table} - -### Next Steps - -1. Copilot agents will review assigned PR bundles -2. Safe PRs will be approved and merged -3. Items will move to "Review Required" when PRs need human review -4. Human reviewers should monitor the "Review Required" column - -### Recommendations - -{any_urgent_notes_or_recommendations} - ---- -*Automated by Dependabot Project Manager - [{workflow_name}]({run_url})*` -}) -``` - -## Bundle Format Guidelines - -When formatting PR details in bundle descriptions: - -**Use this format for each PR:** -```markdown -### {update_type_emoji} {package_name} (#{pr_number}) - -- **Current Version**: {current_version} -- **Target Version**: {target_version} -- **Update Type**: {patch/minor/major} -- **Security**: {yes/no} -- **PR Link**: {pr_url} -- **Status**: {open/approved/changes_requested} -``` - -**Update Type Emojis:** -- Security: 🔴 -- Major: 🟠 -- Minor: 🟡 -- Patch: 🟢 - -## Project Board Structure - -The workflow creates/maintains these views: - -1. **Dependabot Alerts Board** (Board layout) - - Group by: Status - - Columns: Todo, In Progress, Review Required, Done - - Shows all open PR bundles - -2. **Review Required** (Board layout) - - Filtered view showing only items in "Review Required" status - - This is where PRs ready for human review appear - - Stakeholders should monitor this view daily - -3. **All Alerts Table** (Table layout) - - Shows all PR bundles with detailed fields - - Useful for sorting and filtering by runtime, update type, or manifest - -## Status Column Workflow - -PR bundles move through these statuses: - -1. **Todo**: Newly created bundles waiting for Copilot agent -2. **In Progress**: Copilot is actively reviewing PRs -3. **Review Required**: PRs reviewed, waiting for human approval/merge decision (KEY COLUMN) -4. **Done**: All PRs reviewed and merged or closed - -## Field Definitions - -The workflow uses these custom fields (will be created if they don't exist): - -- **Status** (Single select): Todo, In Progress, Review Required, Done -- **Priority** (Single select): High, Medium, Low -- **Runtime** (Single select): npm, pip, go, maven, gradle, composer, nuget -- **Manifest** (Text): Basename of manifest file -- **PR Count** (Number): Number of PRs in bundle -- **Update Type** (Single select): Security, Major, Minor, Patch (primary type in bundle) - -## Important Notes - -1. **Required GitHub Token**: This workflow requires a special token to be configured as a secret: - - **`GH_AW_PROJECT_GITHUB_TOKEN`**: Required for GitHub Projects v2 operations - - PAT or GitHub App token with Projects (read/write) permissions - - Used by `update-project` and `create-project-status-update` safe outputs - - See: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token - -2. **Copilot Assignment**: Issues are automatically assigned to @copilot when created via the `assignees: copilot` configuration in the `create-issue` safe output. This uses the default GitHub Actions token and requires no additional configuration. - -3. **Bundle Deduplication**: Check if a bundle already exists before creating a new one to avoid duplicates - -4. **PR Extraction**: Dependabot PR titles typically follow patterns like "Bump package-name from X.Y.Z to A.B.C in /path/to/manifest" - use these patterns to extract runtime, package, versions, and manifest paths - -5. **Human Review**: The "Review Required" status is the key handoff point between automated review and human merge decisions - -## Success Metrics - -- PR review time: Target <7 days from bundle creation to PR merge -- Bundle processing rate: >90% of bundles reviewed within 1 day -- Review Required queue: Target <5 items waiting for human review -- Merge success rate: >90% of reviewed PRs merged successfully - -## Example Outputs - -### Example Bundle Draft Issue - -```markdown -## Bundle Summary - -**Runtime**: npm -**Manifest**: package.json -**PR Count**: 3 -**Update Types**: 1 minor, 2 patch - -## PRs in This Bundle - -### 🟡 axios (#1234) - -- **Current Version**: 0.21.1 -- **Target Version**: 0.22.0 -- **Update Type**: Minor -- **Security**: No -- **PR Link**: https://github.com/github/gh-aw/pull/1234 -- **Status**: Open - -### 🟢 lodash (#1235) - -- **Current Version**: 4.17.19 -- **Target Version**: 4.17.21 -- **Update Type**: Patch -- **Security**: No -- **PR Link**: https://github.com/github/gh-aw/pull/1235 -- **Status**: Open - -### 🟢 minimist (#1236) - -- **Current Version**: 1.2.5 -- **Target Version**: 1.2.6 -- **Update Type**: Patch -- **Security**: No -- **PR Link**: https://github.com/github/gh-aw/pull/1236 -- **Status**: Open - -## Recommended Action - -1. Review each PR in the bundle -2. Check for breaking changes and compatibility issues -3. Review and approve PRs that are safe to merge -4. Test PRs locally if needed -5. Merge approved PRs or request changes -6. Move this item to "Review Required" when PRs need human review - -## Notes - -- Automated bundle created by Dependabot Project Manager -- Bundle ID: npm-package.json -- Created: 2026-02-06T16:45:00Z -``` - -### Example Status Update - -```markdown -## Dependabot PR Summary - -**Run Date**: 2026-02-06T16:45:00Z -**Repository**: github/gh-aw - -### Metrics - -- **Total Open PRs**: 12 -- **Bundles Created/Updated**: 4 -- **Security Updates**: 1 -- **Major Updates**: 0 -- **Minor Updates**: 3 -- **Patch Updates**: 8 - -### Bundles by Runtime - -| Runtime | Bundles | PRs | Primary Update Type | -|---------|---------|-----|---------------------| -| npm | 2 | 6 | Minor | -| go | 1 | 4 | Patch | -| pip | 1 | 2 | Patch | - -### Next Steps - -1. Copilot agents will review assigned PR bundles -2. Safe PRs will be approved and merged -3. Items will move to "Review Required" when PRs need human review -4. Human reviewers should monitor the "Review Required" column - -### Recommendations - -- npm bundles have minor updates - review for breaking changes -- All go and pip updates are patches - safe to merge after review -- Monitor the "Review Required" column daily for PRs needing approval - ---- -*Automated by Dependabot Project Manager - [dependabot-project-manager](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})* -``` - -## Troubleshooting - -**No PRs found**: If Dependabot returns no open PRs, create a project status update noting "No open Dependabot PRs - all dependencies are up to date" and exit successfully. - -**Project permission errors**: Ensure the `GH_AW_PROJECT_GITHUB_TOKEN` secret has Projects write permissions and is correctly configured. - -**Too many bundles**: If there are >20 bundles, prioritize by security updates and update type, and create issues for the top 20 only. Create a status update noting the overflow. - -**Duplicate bundles**: Always check if a bundle with the same runtime+manifest combination already exists before creating a new one. Update existing items instead. - -**PR parsing errors**: Dependabot PR titles follow patterns like "Bump {package} from {old} to {new} in {path}". If parsing fails, fall back to extracting information from PR files changed or body content. +- Find all open Dependabot PRs and add them to the project (up to max 50). +- Create bundle issues, each for exactly **one runtime + one manifest file** (up to max 20). +- Prioritize security updates first, then oldest PRs. If limits exceeded, create a summary issue noting overflow. +- Add bundle issues to the project, and assign them to Copilot.