feat: auto-discover workspaces and fix Dependabot alerts across all manifests#2163
Merged
feat: auto-discover workspaces and fix Dependabot alerts across all manifests#2163
Conversation
07eaf4d to
184d2c4
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Extends the Dependabot auto-fix tooling and workflow so alerts are processed per-workspace (ts/ vs docs/) instead of incorrectly treating cross-workspace alerts as already resolved.
Changes:
- Updated the fix script to use the current working directory as the command root and filter alerts by
manifest_pathfor the active workspace. - Enhanced the GitHub Actions workflow to install docs dependencies and iterate through multiple workspaces when applying fixes.
- Adjusted PR creation gating to account for multi-workspace behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| ts/tools/scripts/fix-dependabot-alerts.mjs | Uses cwd-based ROOT and filters Dependabot alerts to the current workspace based on manifest_path. |
| .github/workflows/fix-dependabot-alerts.yml | Installs docs deps and loops over workspaces to analyze/apply/build-check fixes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
184d2c4 to
85922f6
Compare
85922f6 to
ad6ffc7
Compare
ad6ffc7 to
7fea502
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The script now auto-detects its workspace from cwd relative to the git root and filters alerts by manifest_path. Running from ts/ only processes ts/ alerts; running from docs/ only processes docs/ alerts. Previously, docs/ alerts (e.g. liquidjs) were silently misclassified as already fixed because pnpm why found nothing in the ts/ workspace. The workflow now includes a docs-specific step that installs docs dependencies and runs the script from the docs/ directory. Also changed ROOT from a hardcoded path to process.cwd() so pnpm commands and package.json reads target the correct workspace. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… fix_exit tracking - Derive ROOT from git root + workspace prefix so subdirectory runs (e.g. ts/tools) still target the correct workspace root - Align fetchAlerts() wsPrefix with ROOT instead of cwd - Fail fast on pnpm install errors for non-ts workspaces (skip with warning) - Use --frozen-lockfile (+ --strict-peer-dependencies for ts) on post-fix install - Roll back on install failure, not just build failure - Track fix_exit: warn and count failures when script exits non-zero with no changes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… in loop Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
9026b6e to
b3c92b5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Auto-discover workspaces from Dependabot alerts
The workflow previously only processed
ts/alerts. Now it automatically discovers which workspaces have open npm alerts by querying the Dependabot API:New workspaces (e.g.
docs/,python/) are picked up automatically ΓÇö no hardcoded paths to maintain.Script: workspace-aware alert filtering
ROOTfrom git root + workspace prefix viadetectWorkspaceRoot(), so running from a subdirectory (e.g.ts/tools) still targets the correct workspace root (ts/)manifest_pathso each workspace only processes its own alertsgit rev-parsefails (non-git context)Bug fixed: Previously, alerts from
docs/pnpm-lock.yaml(e.g. liquidjs) were silently misclassified as "already fixed" becausepnpm whyfound nothing in thets/workspace.Workflow: unified workspace loop
corepack enable && pnpm install— no special-casing fortspnpm installuses--frozen-lockfile(plus--strict-peer-dependenciesfor ts) and rolls back on install failurefix_exit) now tracked ΓÇö warns and counts failures when script exits non-zero with no file changesTested locally
docsandts✅ts/: filters to 12/15 alerts matchingts/✅docs/: filters to 3/15 alerts matchingdocs/(liquidjs) ✅