From eeec4ab4351eaf46b647759a5449be87cef49e63 Mon Sep 17 00:00:00 2001 From: Tom Conroy Date: Mon, 13 Jul 2026 22:10:55 +0200 Subject: [PATCH 1/2] CI: repair Dependabot lockfiles before npm ci Dependabot regenerates package-lock.json with npm 11, which omits nested entries npm 10 requires for optional peer deps whose hoisted version is too old. npm ci on node 22 then fails with EUSAGE 'Missing: from lock file' (this broke the fontdue-js 3.0.6 bump in example-tanstack and next-template). The new build step regenerates the lockfile with the runner's npm 10 -- valid under both npm 10 and 11 -- and pushes the fix to the Dependabot branch. No-op when the lockfile is already fine. Co-Authored-By: Claude Fable 5 --- .github/workflows/build.yml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fe2cd73..9cccda0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,17 +9,39 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: read + # Write so the lockfile-repair step below can push to Dependabot branches. + contents: write env: # Public staging backend; nothing secret here. The app reads both names. VITE_FONTDUE_URL: https://example.fontdue.xyz PUBLIC_FONTDUE_URL: https://example.fontdue.xyz steps: - uses: actions/checkout@v4 + with: + # Dependabot PRs: check out the branch itself rather than the + # ephemeral merge ref so the lockfile repair can be pushed back. + ref: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.ref || '' }} - uses: actions/setup-node@v4 with: node-version: 22 cache: npm + + # Dependabot regenerates package-lock.json with a newer npm (11) that + # omits entries npm 10 (node 22, and most dev machines) requires: nested + # copies for optional peer deps whose hoisted version is too old. `npm ci` + # then fails with EUSAGE "Missing: from lock file". Regenerating + # with this runner's npm yields a lockfile both npm 10 and 11 accept. + - name: Repair Dependabot lockfile + if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' + run: | + npm install --package-lock-only + if ! git diff --quiet package-lock.json; then + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git commit -m "Regenerate package-lock.json with npm 10" package-lock.json + git push + fi + - run: npm ci - run: npm run build From 31717482edfda5c0dea9661daf7612979c4140d1 Mon Sep 17 00:00:00 2001 From: Tom Conroy Date: Mon, 13 Jul 2026 22:40:56 +0200 Subject: [PATCH 2/2] Gate automerge to the fontdue org These repos are public templates -- anyone who clones one inherits .github/ wholesale, and Dependabot activates automatically on push. That was fine for the update PRs and the build check, but automerge would also squash-merge fontdue-js bumps into a client's main unattended. The repository_owner check scopes unattended merges to our org; the comment tells template users how to opt in deliberately. Co-Authored-By: Claude Fable 5 --- .github/workflows/build.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9cccda0..bc6ae65 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,9 +48,20 @@ jobs: # Dependabot opens fontdue-js bumps (see .github/dependabot.yml). `needs: build` # is what makes merging them unattended safe -- without it this would merge a # release that doesn't compile against this framework. + # + # The repository_owner check keeps unattended merges scoped to the fontdue + # org. If you cloned this repo as a starting point for your own site, you + # still get Dependabot's fontdue-js update PRs and the build check above, + # but nothing lands on your main branch without you. If you'd like updates + # to merge themselves once they build -- say your site deploys from main and + # you want font releases to flow through unattended -- change 'fontdue' to + # your own GitHub username or org. automerge: needs: build - if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' + if: >- + github.event_name == 'pull_request' && + github.event.pull_request.user.login == 'dependabot[bot]' && + github.repository_owner == 'fontdue' runs-on: ubuntu-latest permissions: contents: write