ci(deps): automated dependency-bump workflow (scheduled, App-PR, branch-protected)#483
Merged
Conversation
Superpowers skills (brainstorming, writing-plans) write specs and plans under docs/superpowers/; document that this subtree is exempt from the 'do not update docs/' rule (wiki-only) for tool-generated artifacts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q6YFSYL252h71BH5ZL8QqT
…plan Un-ignore docs/superpowers/** so superpowers specs/plans are versioned again, and add the dependency-bump automation design + implementation plan. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q6YFSYL252h71BH5ZL8QqT
Minimal single-job workflow: checkout, set up Go/uv/pnpm + Go quality tools, install Claude Code CLI, vendor the bump skill from ericfitz/skills, run it headless to commit safe updates. Triggered on push to this feature branch for iteration; no push-back yet (contents: read). PR output + dispatch/schedule come in later tasks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q6YFSYL252h71BH5ZL8QqT
Evolve the spike into the PR output model: - checkout with persist-credentials:false so the --dangerously-skip-permissions agent cannot push or perform GitHub writes - agent step runs without GH_TOKEN and under a strict prompt: commit only, no push / session-completion / issue-filing / security-review / PR - a separate step pushes the working branch via the job token and opens a PR targeting the source branch, with the skill's plan in the body Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q6YFSYL252h71BH5ZL8QqT
…ad-only) Replace GITHUB_TOKEN writes with an ephemeral GitHub App installation token minted AFTER the agent step, so no write credential exists while the --dangerously-skip-permissions agent runs. Job permissions reduced to contents:read. App-authored PRs also trigger the repo's security gates. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q6YFSYL252h71BH5ZL8QqT
…ily alert poll, dispatch Tasks 3-5: add a discover job that emits the target-branch matrix (main + dev/*), fan out bump as a fail-fast:false matrix (one independent PR per branch, no cross-branch ops), and add workflow_dispatch (branch input) + weekly schedule + daily Dependabot-alert poll. Fork-guarded. The push trigger is a temporary dev self-test (discover emits just this branch) and is removed before merge to main. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q6YFSYL252h71BH5ZL8QqT
…h only) Drop the dev-only push trigger and its discover branch now that the discover/matrix path is validated. Production triggers: weekly schedule, daily alert poll, and manual workflow_dispatch (active once merged to main). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Q6YFSYL252h71BH5ZL8QqT
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the Claude-driven dependency-bump automation:
.github/workflows/deps-bump.yml: weekly schedule + daily Dependabot-alert poll + manual dispatch; discover job fans out a per-branch matrix (main + dev/*); each branch bumps safe patch/minor deps via the vendoreddeps:bumpskill, validates build/test/lint, and opens an independent PR via an ephemeral GitHub App token. Agent runs credential-less (persist-credentials:false, no GH_TOKEN); job token is read-only.docs/superpowers/;docs/superpowers/**un-ignored; CLAUDE.md docs/superpowers exception.Branch protection (main require-PR, dev/* light) already configured separately.