From d9bc9ba5d524762c46922e54967ce2eb5ae56cc5 Mon Sep 17 00:00:00 2001 From: Tom Conroy Date: Mon, 13 Jul 2026 22:11:00 +0200 Subject: [PATCH 1/2] CI: repair Dependabot lockfiles before npm ci Dependabot regenerates package-lock.json with npm 11, which omits nested entries npm 10 requires for optional peer deps whose hoisted version is too old. npm ci on node 22 then fails with EUSAGE 'Missing: from lock file' (this broke the fontdue-js 3.0.6 bump in example-tanstack and next-template). The new build step regenerates the lockfile with the runner's npm 10 -- valid under both npm 10 and 11 -- and pushes the fix to the Dependabot branch. No-op when the lockfile is already fine. Co-Authored-By: Claude Fable 5 --- .github/workflows/build.yml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5706605..e8681ad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,16 +9,38 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: read + # Write so the lockfile-repair step below can push to Dependabot branches. + contents: write env: # Public staging backend; nothing secret here. VITE_FONTDUE_URL: https://example.fontdue.xyz steps: - uses: actions/checkout@v4 + with: + # Dependabot PRs: check out the branch itself rather than the + # ephemeral merge ref so the lockfile repair can be pushed back. + ref: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.ref || '' }} - uses: actions/setup-node@v4 with: node-version: 22 cache: npm + + # Dependabot regenerates package-lock.json with a newer npm (11) that + # omits entries npm 10 (node 22, and most dev machines) requires: nested + # copies for optional peer deps whose hoisted version is too old. `npm ci` + # then fails with EUSAGE "Missing: from lock file". Regenerating + # with this runner's npm yields a lockfile both npm 10 and 11 accept. + - name: Repair Dependabot lockfile + if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' + run: | + npm install --package-lock-only + if ! git diff --quiet package-lock.json; then + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "Regenerate package-lock.json with npm 10" package-lock.json + git push + fi + - run: npm ci - run: npm run build From 2e60c3cfa0dd7a5efb1ad7414311e6dfba88c42b Mon Sep 17 00:00:00 2001 From: Tom Conroy Date: Mon, 13 Jul 2026 22:41:00 +0200 Subject: [PATCH 2/2] Gate automerge to the fontdue org These repos are public templates -- anyone who clones one inherits .github/ wholesale, and Dependabot activates automatically on push. That was fine for the update PRs and the build check, but automerge would also squash-merge fontdue-js bumps into a client's main unattended. The repository_owner check scopes unattended merges to our org; the comment tells template users how to opt in deliberately. Co-Authored-By: Claude Fable 5 --- .github/workflows/build.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e8681ad..50eb32f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,9 +47,20 @@ jobs: # Dependabot opens fontdue-js bumps (see .github/dependabot.yml). `needs: build` # is what makes merging them unattended safe -- without it this would merge a # release that doesn't compile against this framework. + # + # The repository_owner check keeps unattended merges scoped to the fontdue + # org. If you cloned this repo as a starting point for your own site, you + # still get Dependabot's fontdue-js update PRs and the build check above, + # but nothing lands on your main branch without you. If you'd like updates + # to merge themselves once they build -- say your site deploys from main and + # you want font releases to flow through unattended -- change 'fontdue' to + # your own GitHub username or org. automerge: needs: build - if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' + if: >- + github.event_name == 'pull_request' && + github.event.pull_request.user.login == 'dependabot[bot]' && + github.repository_owner == 'fontdue' runs-on: ubuntu-latest permissions: contents: write