Skip to content

feat: auto-discover workspaces and fix Dependabot alerts across all manifests#2163

Open
TalZaccai wants to merge 3 commits intomainfrom
talzacc/docs-workspace-support
Open

feat: auto-discover workspaces and fix Dependabot alerts across all manifests#2163
TalZaccai wants to merge 3 commits intomainfrom
talzacc/docs-workspace-support

Conversation

@TalZaccai
Copy link
Copy Markdown
Contributor

@TalZaccai TalZaccai commented Apr 8, 2026
edited
Loading

Changes

Auto-discover workspaces from Dependabot alerts

The workflow previously only processed ts/ alerts. Now it automatically discovers which workspaces have open npm alerts by querying the Dependabot API:

gh api .../dependabot/alerts?state=open \
  --jq '[.[] | select(.ecosystem == "npm") | .manifest_path | split("/")[0]] | unique'

New workspaces (e.g. docs/, python/) are picked up automatically ΓÇö no hardcoded paths to maintain.

Script: workspace-aware alert filtering

  • Derives ROOT from git root + workspace prefix via detectWorkspaceRoot(), so running from a subdirectory (e.g. ts/tools) still targets the correct workspace root (ts/)
  • Filters Dependabot alerts by manifest_path so each workspace only processes its own alerts
  • Graceful fallback if git rev-parse fails (non-git context)

Bug fixed: Previously, alerts from docs/pnpm-lock.yaml (e.g. liquidjs) were silently misclassified as "already fixed" because pnpm why found nothing in the ts/ workspace.

Workflow: unified workspace loop

  • Single loop handles all workspaces: install deps ΓåÆ analyse ΓåÆ fix per-package ΓåÆ build-verify ΓåÆ rollback on failure
  • All workspaces install uniformly inside the loop via corepack enable && pnpm install — no special-casing for ts
  • Install failures skip the workspace with a warning instead of silently continuing
  • Post-fix pnpm install uses --frozen-lockfile (plus --strict-peer-dependencies for ts) and rolls back on install failure
  • Script exit code (fix_exit) now tracked ΓÇö warns and counts failures when script exits non-zero with no file changes

Tested locally

  • Workspace discovery API returns docs and ts Γ£à
  • Script from ts/: filters to 12/15 alerts matching ts/ Γ£à
  • Script from docs/: filters to 3/15 alerts matching docs/ (liquidjs) Γ£à

@TalZaccai TalZaccai force-pushed the talzacc/docs-workspace-support branch from 07eaf4d to 184d2c4 Compare April 8, 2026 18:52
@TalZaccai TalZaccai requested a review from Copilot April 8, 2026 18:53
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Extends the Dependabot auto-fix tooling and workflow so alerts are processed per-workspace (ts/ vs docs/) instead of incorrectly treating cross-workspace alerts as already resolved.

Changes:

  • Updated the fix script to use the current working directory as the command root and filter alerts by manifest_path for the active workspace.
  • Enhanced the GitHub Actions workflow to install docs dependencies and iterate through multiple workspaces when applying fixes.
  • Adjusted PR creation gating to account for multi-workspace behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
ts/tools/scripts/fix-dependabot-alerts.mjs Uses cwd-based ROOT and filters Dependabot alerts to the current workspace based on manifest_path.
.github/workflows/fix-dependabot-alerts.yml Installs docs deps and loops over workspaces to analyze/apply/build-check fixes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TalZaccai TalZaccai force-pushed the talzacc/docs-workspace-support branch from 184d2c4 to 85922f6 Compare April 8, 2026 19:07
@TalZaccai TalZaccai force-pushed the talzacc/docs-workspace-support branch from 85922f6 to ad6ffc7 Compare April 8, 2026 23:52
@TalZaccai TalZaccai changed the title feat: extend Dependabot script to support docs workspace feat: auto-discover workspaces and fix Dependabot alerts across all manifests Apr 8, 2026
@TalZaccai TalZaccai requested a review from Copilot April 8, 2026 23:58
@TalZaccai
feat: extend Dependabot script to support docs workspace
7fea502 
The script now auto-detects its workspace from cwd relative to the
git root and filters alerts by manifest_path. Running from ts/ only
processes ts/ alerts; running from docs/ only processes docs/ alerts.

Previously, docs/ alerts (e.g. liquidjs) were silently misclassified
as already fixed because pnpm why found nothing in the ts/ workspace.

The workflow now includes a docs-specific step that installs docs
dependencies and runs the script from the docs/ directory.

Also changed ROOT from a hardcoded path to process.cwd() so pnpm
commands and package.json reads target the correct workspace.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@TalZaccai TalZaccai force-pushed the talzacc/docs-workspace-support branch from ad6ffc7 to 7fea502 Compare April 8, 2026 23:58
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@TalZaccai
fix: address Copilot review — ROOT alignment, install error handling,…
698c2d6 
… fix_exit tracking

- Derive ROOT from git root + workspace prefix so subdirectory runs
  (e.g. ts/tools) still target the correct workspace root
- Align fetchAlerts() wsPrefix with ROOT instead of cwd
- Fail fast on pnpm install errors for non-ts workspaces (skip with warning)
- Use --frozen-lockfile (+ --strict-peer-dependencies for ts) on post-fix install
- Roll back on install failure, not just build failure
- Track fix_exit: warn and count failures when script exits non-zero with no changes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@TalZaccai
refactor: remove ts special-casing — all workspaces install uniformly…
9026b6e 
… in loop

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@TalZaccai TalZaccai temporarily deployed to development-fork April 9, 2026 00:14 — with GitHub Actions Inactive
@TalZaccai TalZaccai temporarily deployed to development-fork April 9, 2026 00:14 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TalZaccai