mpaulosky · mpaulosky · Apr 15, 2026 · Apr 12, 2026 · Apr 14, 2026 · Apr 14, 2026
@@ -3,7 +3,7 @@ name: Squad Heartbeat (Ralph)
 on:
   schedule:
     # Proactive polling every 30 minutes
-    - cron: '*/30 * * * *'
+    - cron: '*/15 * * * *'
 
   # React to completed work or new squad work
   issues:

@@ -0,0 +1,94 @@
+---
+name: Squad PR Auto-Label
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  auto-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Auto-label PR for squad system
+        uses: actions/github-script@v9
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+            const author = pr.user.login;
+
+            // Fetch current labels on the PR
+            const { data: currentLabels } = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number
+            });
+
+            const labelNames = currentLabels.map(l => l.name);
+
+            // Check if already has squad labels
+            const hasSquadLabel = labelNames.some(name => 
+              name === 'squad' || name.startsWith('squad:')
+            );
+
+            if (hasSquadLabel) {
+              core.info(`PR #${pr.number} already has squad label(s) — skipping`);
+              return;
+            }
+
+            let labelsToAdd = [];
+            let commentBody = '';
+
+            // Handle known automation bots
+            const knownBots = ['dependabot[bot]', 'renovate[bot]', 'github-actions[bot]'];
+            if (knownBots.includes(author)) {
+              labelsToAdd = ['squad:boromir', 'squad'];
+              commentBody = [
+                `### 🤖 Dependency Update PR`,
+                '',
+                `This PR was opened by **${author}** and has been automatically labeled for **Boromir** (DevOps) to review.`,
+                '',
+                `**Labels applied:**`,
+                `- \`squad:boromir\` — Assigned to DevOps for dependency updates`,
+                `- \`squad\` — In triage queue`,
+                '',
+                `> Dependency and infrastructure updates are owned by the DevOps team.`
+              ].join('\n');
+            } else {
+              // Handle general PRs without squad labels
+              labelsToAdd = ['squad'];
+              commentBody = [
+                `### 🏗️ PR Added to Squad Triage Queue`,
+                '',
+                `This PR has been labeled with \`squad\` and added to the triage queue.`,
+                '',
+                `**Next steps:**`,
+                `- The squad Lead will review and assign to an appropriate team member`,
+                `- A \`squad:member\` label will be added after triage`,
+                '',
+                `> If you know which squad member should handle this, you can add the appropriate \`squad:member\` label yourself.`
+              ].join('\n');
+            }
+
+            // Add labels
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number,
+              labels: labelsToAdd
+            });
+
+            core.info(`Added labels to PR #${pr.number}: ${labelsToAdd.join(', ')}`);
+
+            // Post comment
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: pr.number,
+              body: commentBody
+            });
+
+            core.info(`Posted auto-label comment on PR #${pr.number}`);
@@ -376,3 +376,41 @@ DevOps on IssueManager (.NET 10, GitHub Actions, Aspire, NuGet centralized packa
 
 **Commit:** 43d6a0d on branch `squad/108-playwright-e2e-infrastructure`
 **PR:** #111
+
+### 2026-04-12: GitHub Actions Dependency Bump (PR #115)
+
+**PR:** #115 — "chore(deps): Bump the all-actions group across 1 directory with 3 updates"
+
+**Dependency Updates:**
+- `peter-evans/create-pull-request`: v8.1.0 → v8.1.1 (patch — safe)
+- `actions/github-script`: v8 → v9 (major — verified compatible)
+- `codecov/codecov-action`: v5 → v6 (major — verified compatible)
+
+**Files Modified:** 7 workflow files in `.github/workflows/`
+- `code-metrics.yml` (create-pull-request bump)
+- `squad-heartbeat.yml`, `squad-issue-assign.yml`, `squad-label-enforce.yml`, `squad-test.yml`, `squad-triage.yml`, `sync-squad-labels.yml` (github-script v8→v9, codecov v5→v6)
+
+**CI Verification:**
+- ✅ All builds passed
+- ✅ All unit/integration/architecture tests passed
+- ✅ CodeQL passed
+- ✅ CodeCov checks passed
+- ⚠️ AppHost.Tests.E2E cancelled in matrix (pre-existing known cancellation, not blocking)
+
+**Decision:** ✅ **MERGED** via auto-merge after manual set-to-merge (Dependabot PR)
+
+**Rationale:**
+1. **Pure workflow automation** — no application code changes, only action versions
+2. **All CI green** — comprehensive test coverage confirms compatibility
+3. **Version bump nature** — patch is always safe; major bumps (github-script, codecov) have proven compatible in CI
+4. **Dependabot pattern** — Dependabot PRs are maintained daily; these are vetted version bumps
+
+**Merge Commit:** 676d76a (squash merge to main via admin override)  
+**Branch:** dependabot/github_actions/all-actions-b36ee5cd98
+
+### 2026-04-12: GitHub Actions Dependency Bump (PR #115)
+- Reviewed and merged PR #115 bumping create-pull-request, github-script, codecov
+- Major version bumps (github-script v8->v9, codecov v5->v6) validated compatible via CI execution
+- Zero app code changes (workflow YAML only); all CI checks green
+- Merged via squash; commit 676d76a
+- Decision recorded in `.squad/decisions.md`
@@ -59,3 +59,16 @@ Frontend Developer on IssueManager (.NET 10, Blazor Interactive Server Rendering
 - Old horizontal-layer structure (Handlers/, Pages/, Services/) replaced with feature-based folder organization
 - Test project renamed: Blazor.Tests → Web.Tests.Bunit (path: 	ests/Web.Tests.Bunit/)
 - All test references should use the new project name
+
+### Dependabot Lockfile Review — PR #113 (2026-04-12)
+- `src/Web/package.json` only declares Tailwind build dependencies; `picomatch` is transitive from `@parcel/watcher` in the frontend toolchain
+- Safe lockfile-only security PRs in `src/Web/` can be validated with green CI plus a clean `npm ci --ignore-scripts` run in an isolated worktree
+- Dependabot lockfile bumps may add nested wasm helper entries in `package-lock.json` without changing `package.json`; treat that as acceptable when the target package version is correct and install validation stays clean
+- AppHost E2E cancellations were present in PR #113, but the required checks for the dependency bump were green and the PR remained safe to merge
+
+### 2026-04-12: Dependabot picomatch Security Bump (PR #113)
+- Reviewed and merged PR #113 updating picomatch 4.0.3 -> 4.0.4 in src/Web/package-lock.json
+- Security patch for picomatch advisories; CI validation passed
+- Tailwind optional wasm helper entries updated as expected lockfile churn
+- Merged to main; created reusable `.squad/skills/dependabot-lockfile-review/` skill for future Web dependency reviews
+- Decision recorded in `.squad/decisions.md`