From b7af275eccb2e88c9aa7fed5ae2c2dd894eaa18b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Jul 2026 10:12:30 +0000 Subject: [PATCH 1/2] chore(deps): bump @rollup/rollup-linux-x64-gnu from 4.9.5 to 4.62.2 Bumps [@rollup/rollup-linux-x64-gnu](https://github.com/rollup/rollup) from 4.9.5 to 4.62.2. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](https://github.com/rollup/rollup/compare/v4.9.5...v4.62.2) --- updated-dependencies: - dependency-name: "@rollup/rollup-linux-x64-gnu" dependency-version: 4.62.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- package.json | 2 +- pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 1834a1c..e891c94 100644 --- a/package.json +++ b/package.json @@ -69,7 +69,7 @@ "vite": "^8.1.2" }, "optionalDependencies": { - "@rollup/rollup-linux-x64-gnu": "4.9.5" + "@rollup/rollup-linux-x64-gnu": "4.62.2" }, "pnpm": { "peerDependencyRules": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index af300f6..0c5d0a5 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -140,8 +140,8 @@ importers: version: 8.1.2(@types/node@22.19.21)(esbuild@0.27.7)(jiti@2.7.0)(tsx@4.21.0)(yaml@2.4.2) optionalDependencies: '@rollup/rollup-linux-x64-gnu': - specifier: 4.9.5 - version: 4.9.5 + specifier: 4.62.2 + version: 4.62.2 packages: @@ -1397,8 +1397,8 @@ packages: os: [linux] libc: [glibc] - '@rollup/rollup-linux-x64-gnu@4.9.5': - resolution: {integrity: sha512-Dq1bqBdLaZ1Gb/l2e5/+o3B18+8TI9ANlA1SkejZqDgdU/jK/ThYaMPMJpVMMXy2uRHvGKbkz9vheVGdq3cJfA==} + '@rollup/rollup-linux-x64-gnu@4.62.2': + resolution: {integrity: sha512-5BqxR/pshjey51iliyzTD5Xi3EN0aLmQ2lZ3lvefVV9c82BvrLo2/6OT55iifpWBufs6kdwWbuOKS841DrmK9A==} cpu: [x64] os: [linux] libc: [glibc] @@ -6586,7 +6586,7 @@ snapshots: '@rollup/rollup-linux-x64-gnu@4.57.1': optional: true - '@rollup/rollup-linux-x64-gnu@4.9.5': + '@rollup/rollup-linux-x64-gnu@4.62.2': optional: true '@rollup/rollup-linux-x64-musl@4.57.1': From b63d1a27356d4d59293c8dd4649788d8ca523cdf Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 2 Jul 2026 10:14:33 +0000 Subject: [PATCH 2/2] ci: skip Vercel preview deploy for Dependabot PRs (no secrets access) Dependabot PRs run from the same repo (not a fork), so the deploy step's fork-only guard let it through even though GitHub withholds repository secrets from dependabot-actor runs. That caused deploy.mjs to fail with 'missing --token'. Treat dependabot[bot] runs the same as fork PRs: build/lint/typecheck/test still run, but preview deploy and lighthouse are skipped until a maintainer adds the 'trusted' label. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee676d3..4072a65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -96,7 +96,7 @@ jobs: - name: Deploy Preview to Vercel if: ${{ github.event_name != 'push' && github.event_name != 'workflow_dispatch' && - (!github.event.pull_request.head.repo.fork || + ((!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'trusted'))) }} run: node .github/scripts/deploy.mjs --token=${{ secrets.VERCEL_TOKEN }} @@ -104,7 +104,7 @@ jobs: - name: Create GitHub Preview Deployment if: ${{ github.event_name != 'push' && github.event_name != 'workflow_dispatch' && - (!github.event.pull_request.head.repo.fork || + ((!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'trusted'))) }} uses: chrnorm/deployment-action@500aa6a23c81ffa1acf71072aee3cfa2cc2e556a @@ -132,7 +132,7 @@ jobs: needs: build-and-deploy runs-on: ubuntu-latest if: - ${{ !github.event.pull_request.head.repo.fork || + ${{ (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') || (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'trusted')) }} steps: