From 0cbb3dfdacb536fe4256882591272d95efdafd62 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Jul 2026 10:12:29 +0000 Subject: [PATCH 1/2] chore(deps): bump yargs-parser from 21.1.1 to 22.0.0 Bumps [yargs-parser](https://github.com/yargs/yargs-parser) from 21.1.1 to 22.0.0. - [Release notes](https://github.com/yargs/yargs-parser/releases) - [Changelog](https://github.com/yargs/yargs-parser/blob/main/CHANGELOG.md) - [Commits](https://github.com/yargs/yargs-parser/compare/yargs-parser-v21.1.1...yargs-parser-v22.0.0) --- updated-dependencies: - dependency-name: yargs-parser dependency-version: 22.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package.json | 2 +- pnpm-lock.yaml | 10 ++-------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index 1834a1c..0cfd129 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ "unified": "^11.0.5", "unist-util-visit": "^5.1.0", "vercel": "^51.7.0", - "yargs-parser": "^21.1.1" + "yargs-parser": "^22.0.0" }, "devDependencies": { "@astrojs/rss": "^4.0.18", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index af300f6..0421300 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -96,8 +96,8 @@ importers: specifier: ^51.7.0 version: 51.7.0(@emnapi/core@1.11.1)(@emnapi/runtime@1.11.1)(rollup@4.57.1)(typescript@5.8.3) yargs-parser: - specifier: ^21.1.1 - version: 21.1.1 + specifier: ^22.0.0 + version: 22.0.0 devDependencies: '@astrojs/rss': specifier: ^4.0.18 @@ -5568,10 +5568,6 @@ packages: engines: {node: '>= 14'} hasBin: true - yargs-parser@21.1.1: - resolution: {integrity: sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==} - engines: {node: '>=12'} - yargs-parser@22.0.0: resolution: {integrity: sha512-rwu/ClNdSMpkSrUb+d6BRsSkLUq1fmfsY6TOpYzTwvwkg1/NRG85KBy3kq++A8LKQwX6lsu+aWad+2khvuXrqw==} engines: {node: ^20.19.0 || ^22.12.0 || >=23} @@ -11784,8 +11780,6 @@ snapshots: yaml@2.4.2: optional: true - yargs-parser@21.1.1: {} - yargs-parser@22.0.0: {} yauzl-clone@1.0.4: From a701af049568c912faa2ff567b15ddb877fc99db Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 2 Jul 2026 10:14:34 +0000 Subject: [PATCH 2/2] ci: skip Vercel preview deploy for Dependabot PRs (no secrets access) Dependabot PRs run from the same repo (not a fork), so the deploy step's fork-only guard let it through even though GitHub withholds repository secrets from dependabot-actor runs. That caused deploy.mjs to fail with 'missing --token'. Treat dependabot[bot] runs the same as fork PRs: build/lint/typecheck/test still run, but preview deploy and lighthouse are skipped until a maintainer adds the 'trusted' label. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee676d3..4072a65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -96,7 +96,7 @@ jobs: - name: Deploy Preview to Vercel if: ${{ github.event_name != 'push' && github.event_name != 'workflow_dispatch' && - (!github.event.pull_request.head.repo.fork || + ((!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'trusted'))) }} run: node .github/scripts/deploy.mjs --token=${{ secrets.VERCEL_TOKEN }} @@ -104,7 +104,7 @@ jobs: - name: Create GitHub Preview Deployment if: ${{ github.event_name != 'push' && github.event_name != 'workflow_dispatch' && - (!github.event.pull_request.head.repo.fork || + ((!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'trusted'))) }} uses: chrnorm/deployment-action@500aa6a23c81ffa1acf71072aee3cfa2cc2e556a @@ -132,7 +132,7 @@ jobs: needs: build-and-deploy runs-on: ubuntu-latest if: - ${{ !github.event.pull_request.head.repo.fork || + ${{ (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'trusted')) }} steps: