diff --git a/.claude/skills/dependabot-pr-automation/SKILL.md b/.claude/skills/dependabot-pr-automation/SKILL.md new file mode 100644 index 000000000..ad22943d0 --- /dev/null +++ b/.claude/skills/dependabot-pr-automation/SKILL.md @@ -0,0 +1,98 @@ +--- +name: dependabot-pr-automation +description: Reviews open Dependabot pull requests, assesses their risk level based on version bump type and CI status, approves low-risk PRs, and merges them. Use when asked to process, review, merge, or triage Dependabot PRs. +allowed-tools: + - Bash + - Read + - WebFetch + - mcp__github__list_pull_requests + - mcp__github__get_pull_request + - mcp__github__get_pull_request_files + - mcp__github__get_pull_request_status + - mcp__github__create_pull_request_review + - mcp__github__merge_pull_request +--- + +# Dependabot PR Automation for chainloop + +This skill reviews open Dependabot pull requests, assesses their risk, approves safe ones, and merges them. + +## Repository Info + +| Item | Value | +|------|-------| +| Owner | `chainloop-dev` | +| Repo | `chainloop` | + +## Step 1: List Open Dependabot PRs + +Use `mcp__github__list_pull_requests` to fetch open PRs: + +- `owner`: `chainloop-dev` +- `repo`: `chainloop` +- `state`: `open` + +Filter the results to only include PRs authored by `dependabot[bot]`. Collect each PR's number, title, head branch, and labels. + +If there are no open Dependabot PRs, report that and stop. + +## Step 2: Assess Risk for Each PR + +For each Dependabot PR, determine the risk level using these criteria: + +### 2a. Parse Version Bump from PR Title + +Dependabot PR titles follow the pattern: `Bump from to `. Extract the old and new versions and classify the bump: + +| Bump Type | Risk Level | Criteria | +|-----------|------------|----------| +| **Patch** (x.x.OLD → x.x.NEW) | Low | Only the patch segment changed | +| **Minor** (x.OLD.x → x.NEW.x) | Medium | The minor segment changed | +| **Major** (OLD.x.x → NEW.x.x) | High | The major segment changed | + +### 2b. Check CI / Check Status + +Use `mcp__github__get_pull_request_status` to retrieve the CI check status for each PR. A PR is considered CI-passing only if all checks have concluded with a success state. + +### 2c. Inspect the Diff + +Use `mcp__github__get_pull_request_files` to review the files changed. Flag any PR that modifies unexpected files beyond dependency manifests (`go.mod`, `go.sum`, `package.json`, `yarn.lock`, `Dockerfile*`, `.github/workflows/*`). + +### 2d. Identify Dependency Scope + +- **Development-only** (test frameworks, linters, dev tools) → Lower risk +- **Production** (runtime dependencies) → Higher risk +- **GitHub Actions** (workflow dependencies) → Typically low risk for minor/patch bumps + +### 2e. Final Risk Matrix + +| Version Bump | CI Passing | Only Manifest Files | Final Risk | Action | +|-------------|------------|---------------------|------------|--------| +| Patch | Yes | Yes | **Low** | Auto-approve and merge | +| Patch | No | Yes | **Medium** | Approve but do not merge | +| Minor | Yes | Yes | **Medium** | Auto-approve and merge | +| Minor | Yes | No | **High** | Do not approve | +| Minor | No | * | **High** | Do not approve | +| Major | * | * | **High** | Do not approve | + +GitHub Actions patch and minor bumps with passing CI → **Low** risk. + +## Step 3: Approve Eligible PRs + +Use `mcp__github__create_pull_request_review` with `event: APPROVE` for eligible PRs. + +## Step 4: Merge Approved PRs + +Use `mcp__github__merge_pull_request` with `merge_method: squash`. If the merge fails, note the failure and continue. + +## Step 5: Report Results + +After processing all PRs, produce a summary table showing merged, approved-pending, flagged, and errored PRs. + +## Important Notes + +- Never force-merge. +- Respect branch protection rules. +- Go module PRs may need `go mod tidy` after merge. +- Process oldest-first to avoid dependency tree conflicts. +- Security-labeled PRs should be prioritized; treat security patch/minor bumps as Low risk if CI passes.