make Dependabot guidelines and update workflow

[arii]

Upgrading Versions Guide

When upgrading dependencies like pnpm, node, or playwright, there are strict runtime contracts enforced across multiple files in the repository. Failing to update all necessary files will result in CI failures.

Dependabot

When Dependabot opens a PR to update versions, it typically only updates package.json and pnpm-lock.yaml. Since this repository has a strict runtime contract, a Dependabot PR updating pnpm or @playwright/test will fail the CI check (scripts/check-runtime-files.mjs or similar checks) until you manually add the changes in the other files.

If Dependabot fails CI because of actions/checkout or missing dependabot-specific workflow configurations, be mindful that Dependabot PRs run with read-only permissions by default unless configured properly, and they trigger pull_request events but from a fork context.
For workflows that checkout code using actions/checkout, to properly handle Dependabot PRs or PRs from forks, ensure you set repository like this:

      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
          fetch-depth: 0

Upgrading pnpm

When upgrading pnpm (e.g. via dependabot), you must update the version in all of the following files:

1. package.json (in the packageManager field, and engines.pnpm)
2. scripts/check-runtime-files.mjs (in expectedPnpm)
3. .github/actions/setup-node-pnpm/action.yml (in the pnpm-version input default)
4. .devcontainer/Dockerfile (in the PNPM_VERSION environment variable)

Upgrading node

When upgrading node, you must update the version in all of the following files:

1. .node-version
2. .nvmrc
3. package.json (in engines.node)
4. scripts/check-runtime-files.mjs (in expectedNodeExact and expectedNodeMajorForVercel)
5. .devcontainer/Dockerfile (in the NODE_MAJOR environment variable, if the major version changed)

Upgrading playwright

When upgrading playwright or @playwright/test, you must update the base image tag in:

1. .devcontainer/Dockerfile (e.g., mcr.microsoft.com/playwright:vX.Y.Z-noble)

The version here must match the installed version of @playwright/test to avoid issues with missing executables in CI.

Validating Changes

After making changes, always run the runtime files check locally:

pnpm run check:runtime-files

[github-actions]

🤖 Issue Quality Review

❌ Violations

• Missing spec-driven sections: Problem Statement, Goal, Non-Goals, Proposed Approach, Alternatives Considered, Architectural Impact, Scope, UNDERSTAND THE ISSUE, DETERMINE APPROACH, SPECIFY SCOPE, DEFINITION OF DONE

---

Generated by td_cli validate-issue

[google-labs-jules]

Jules is on it. When finished, you will see another comment and be able to review a PR.

[google-labs-jules]

Ready for a review! A PR has been created.

[arii]

Issue audit result

Recommendation: Blocked by another issue or PR

Reason:
Linked to open PR #2818: Add Dependabot guidelines and update workflows for fork compatibility

Remaining work:
Review and merge PR #2818

[arii]

Issue audit result

Recommendation: Blocked by another issue or PR

Reason:
Linked to open PR #2818: Add Dependabot guidelines and update workflows for fork compatibility

Remaining work:
Review and merge PR #2818

[arii]

🤖 Issue Quality Review

❌ Violations

• Missing spec-driven sections: Problem Statement, Goal, Non-Goals, Proposed Approach, Alternatives Considered, Architectural Impact, Scope, UNDERSTAND THE ISSUE, DETERMINE APPROACH, SPECIFY SCOPE, DEFINITION OF DONE

---

Generated by td_cli validate-issue

[arii]

Suggested Specification Update

This issue currently lacks the required spec-driven format. Based on the title ("make Dependabot guidelines and update workflow"), here is a proposed specification. Please review and update the issue body to align with these goals.

Problem Statement

[Please define the specific problem this issue aims to solve. Currently inferred: The need to implement make Dependabot guidelines and update workflow.]

Goal

[Please state the measurable outcome that will define success.]

Scope

• In Scope: [Define what should be done]
• Out of Scope: [Define what should be avoided]

Definition of Done

• Requirements met
• Changes verified

Once updated, this issue can be re-evaluated and prioritized.

[arii]

Suggested Specification Update

This issue currently lacks the required spec-driven format. Based on the title ("make Dependabot guidelines and update workflow"), here is a proposed specification. Please review and update the issue body to align with these goals.

Problem Statement

The issue aims to implement or fix: make Dependabot guidelines and update workflow.

Goal

Provide a measurable outcome that will define success.

Scope

• In Scope: Define what should be done.
• Out of Scope: Define what should be avoided.

Definition of Done

• Requirements met
• Changes verified

Once updated, this issue can be re-evaluated and prioritized.

[arii]

Proposed Specification

Based on an automated audit, this issue lacks the required spec-driven format. Here is a drafted specification to clarify the scope. Please review and edit the original issue body to match this structure.

Problem Statement

The current implementation related to make Dependabot guidelines and update workflow is either missing or inadequate, creating friction or violating project guidelines.

Goal

Implement make Dependabot guidelines and update workflow to resolve the problem statement and ensure repository standards are met.

Scope

• In Scope: Modifying code directly relevant to make Dependabot guidelines and update workflow.
• Out of Scope: Refactoring unrelated components or workflows.

Definition of Done

• Code changes correctly address the title requirement.
• Local tests pass successfully (pnpm run ci:local).
• Changes verified against relevant route or tool.