fix: emit dependabot.yml without YAML anchors#27
Merged
Conversation
## Root cause The bot-generated `.github/dependabot.yml` in PR #25 was rejected by GitHub's dependabot parser: ```yaml labels: &ref_0 - dependencies ... labels: *ref_0 ``` `js-yaml`'s default `dump()` deduplicates repeated structures (here, the shared `['dependencies']` labels array) using YAML anchors / aliases (`&ref_0` / `*ref_0`). The construct is valid YAML, but GitHub's dependabot.yml parser does not accept it — the `.github/dependabot.yml` status check on the bot's auto-generated PRs FAILs. ## Fix Pass `{ noRefs: true }` to `yaml.dump` in: - `src/dependabot.js:26` — the upsert/PR path that writes the file - `src/app.js:465` — the `/generate-dependabot` ChatOps preview block Added a regression test (`emits dependabot.yml without YAML anchors even when labels are shared across updates`) that constructs a config with two updates sharing the same `labels` array and asserts the dumped output contains neither `&ref_` nor `*ref_`. ## Test plan - [x] All 753 tests pass (was 752 — added 1 regression test) - [x] eslint clean - [ ] After merge + self-update + close-and-reopen of #25: the bot's auto-generated dependabot.yml passes GitHub's `.github/dependabot.yml` check. ## Risk & rollout - Risk: low. Single-option change to a YAML serializer call. The output is semantically identical — only the wire format changes. - Rollout: self-update on merge. Then close PR #25 (if still open) so the bot regenerates a clean version on the next non-bot PR cycle. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause
The bot-generated `.github/dependabot.yml` in PR #25 was rejected by GitHub's dependabot parser because `js-yaml`'s default `dump()` deduplicates the shared `labels: ['dependencies']` array using YAML anchors (`&ref_0` / `*ref_0`). Valid YAML, invalid dependabot.yml.
Fix
Pass `{ noRefs: true }` to `yaml.dump` in:
Regression test added: constructs a config with two updates sharing a labels array, asserts dumped output contains neither `&ref_` nor `*ref_`.
Test plan
Risk & rollout
🤖 Generated with Claude Code