Skip to content

Configure Dependabot #2147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alexeyr-ci2 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Configure Dependabot #2147

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Dependabot configuration
# - Only security updates (version updates disabled via open-pull-requests-limit: 0)
# - Dependencies grouped within each ecosystem/directory
# - 3-day minimum release age for new versions (so they can't be unpublished in NPM)
# - Labels: "dependencies" (default), language-specific (javascript/ruby/github-actions), "full-ci"
#
# Note: Root pnpm workspace (/) covers packages/react-on-rails, etc.
# Dummy apps have separate lock files and are listed explicitly.

version: 2

updates:
# NPM/PNPM packages - root workspace and dummy apps
- package-ecosystem: "npm"
directories:
- "/"
- "/react_on_rails/spec/dummy"
- "/react_on_rails_pro/spec/dummy"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "javascript"
- "full-ci"
# Disable version update PRs - only security updates will be created
open-pull-requests-limit: 0
cooldown:
default-days: 3
groups:
npm-security:
applies-to: security-updates
patterns:
- "*"

# Ruby gems - Open source and Pro gems (including dummy apps)
# Root directory is not included because it reuses the Gemfile from react_on_rails
- package-ecosystem: "bundler"
directories:
- "/react_on_rails"
- "/react_on_rails/spec/dummy"
- "/react_on_rails_pro"
- "/react_on_rails_pro/spec/dummy"
- "/react_on_rails_pro/spec/execjs-compatible-dummy"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "ruby"
- "full-ci"
open-pull-requests-limit: 0
cooldown:
default-days: 3
groups:
bundler-security:
applies-to: security-updates
patterns:
- "*"

# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "github-actions"
- "full-ci"
open-pull-requests-limit: 0
cooldown:
default-days: 3
groups:
actions-security:
applies-to: security-updates
patterns:
- "*"
49 changes: 49 additions & 0 deletions docs/MONOREPO_MERGER_PLAN.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,9 @@ After the initial merge, the following CI adjustments may be needed:
- [ ] Remove empty `react_on_rails_pro/` directory
- [ ] Update all require paths in Ruby code
- [ ] Update gemspec file paths and dependencies
- [ ] **Update `.github/dependabot.yml`** to reflect final directory structure:
- Remove `/react_on_rails_pro` bundler entry (directory no longer exists)
- Update bundler directory from `/react_on_rails` to `/` (root now has both gemspecs)

Comment on lines +479 to 482
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if .github/dependabot.yml exists and its content
echo "=== Checking .github/dependabot.yml ==="
if [ -f ".github/dependabot.yml" ]; then
  echo "✅ File exists"
  cat .github/dependabot.yml
else
  echo "❌ File does not exist"
fi

echo ""
echo "=== Checking for CHANGELOG file ==="
if [ -f "CHANGELOG.md" ] || [ -f "CHANGELOG.rst" ] || [ -f "CHANGELOG" ]; then
  echo "✅ CHANGELOG file exists"
  # Check if it was recently modified
  git log --oneline -1 -- CHANGELOG* 2>/dev/null || echo "Cannot determine git history"
else
  echo "❌ No CHANGELOG file found"
fi

echo ""
echo "=== Checking if docs/MONOREPO_MERGER_PLAN.md ends with newline ==="
tail -c 1 docs/MONOREPO_MERGER_PLAN.md | xxd
wc -l docs/MONOREPO_MERGER_PLAN.md

Repository: shakacode/react_on_rails

Length of output: 2475

🏁 Script executed:

#!/bin/bash
# Check the specific lines mentioned in the review (479-482) and surrounding context
echo "=== Lines 479-482 of docs/MONOREPO_MERGER_PLAN.md ==="
sed -n '475,485p' docs/MONOREPO_MERGER_PLAN.md

echo ""
echo "=== Configuration Files section (lines 747-792) ==="
sed -n '747,792p' docs/MONOREPO_MERGER_PLAN.md

Repository: shakacode/react_on_rails

Length of output: 2316

Update .github/dependabot.yml to complete Phase 6 restructuring.

The .github/dependabot.yml file exists but does not match the documented Phase 6 changes (lines 479-482). The current configuration still includes /react_on_rails_pro and /react_on_rails bundler entries, but per the Phase 6 task list it should:

  • Remove the /react_on_rails_pro bundler entry (directory no longer exists)
  • Update bundler to use only / (root now contains both gemspecs)

Sync the actual configuration file with the final state documented at lines 759-792.

🧰 Tools
🪛 LanguageTool

[uncategorized] ~479-~479: The official name of this software platform is spelled with a capital “H”.
Context: ...e paths and dependencies - [ ] Update .github/dependabot.yml to reflect final dire...

(GITHUB)

🤖 Prompt for AI Agents 
In docs/MONOREPO_MERGER_PLAN.md around lines 479 to 482, the guidance to update
.github/dependabot.yml for Phase 6 isn't reflected in the repository: remove the
bundler entry referencing /react_on_rails_pro and change the bundler directory
entry from /react_on_rails to / (root now holds both gemspecs). Edit
.github/dependabot.yml to delete the obsolete /react_on_rails_pro section and
replace/update any bundler directory paths so only a single bundler entry points
to "/", ensuring the file matches the final state described in lines 759-792.

Copy link
Collaborator Author

@alexeyr-ci2 alexeyr-ci2 Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Phase 6 is not completed yes, react_on_rails_pro still exists. This is added instructions for the future.

Copy link
Contributor

@coderabbitai coderabbitai bot Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexeyr-ci2, thank you for the clarification! You're absolutely right—this documentation is providing instructions for when Phase 6 is actually implemented in the future. The task list at lines 479-482 correctly guides implementers to update .github/dependabot.yml when they execute Phase 6 and restructure the Ruby gems to their final layout.

Since react_on_rails_pro/ still exists and Phase 6 hasn't been completed yet, the current state of .github/dependabot.yml is appropriate for the current repository structure. The documentation properly prepares for the future migration step when the directory will be removed and both gemspecs will reside at the root.

The planning documentation looks good as-is! 👍

🧠 Learnings used 
Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-16T03:39:07.980Z
Learning: Applies to {package.json,Rakefile,**/webpack.config.js,config/**/*.js} : Validate that no hardcoded paths need updating after resolving merge conflicts in build configuration files

Learnt from: alexeyr-ci2
Repo: shakacode/react_on_rails PR: 1732
File: spec/dummy/client/app-react16/startup/ReduxSharedStoreApp.client.jsx:40-44
Timestamp: 2025-04-26T21:55:55.874Z
Learning: In the react_on_rails project, files under `app-react16` directories are copied/moved to corresponding `/app` directories during the conversion process (removing the `-react16` suffix), which affects their relative import paths at runtime.

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-16T03:39:07.980Z
Learning: Applies to react_on_rails_pro/**/*.{js,ts,jsx,tsx,json,css,scss} : The `react_on_rails_pro/` directory has its own Prettier/ESLint configuration and will be linted separately in CI

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-16T03:39:07.980Z
Learning: When resolving merge conflicts, resolve logical conflicts first, verify file paths and hardcoded paths, then run `rake autofix` to auto-fix formatting

Learnt from: Romex91
Repo: shakacode/react_on_rails PR: 1697
File: package-scripts.yml:28-28
Timestamp: 2025-02-12T16:38:06.537Z
Learning: The file `node_package/lib/ReactOnRails.full.js` is autogenerated during the build process and should not be present in the repository.

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-16T03:39:07.980Z
Learning: Exclude directories `/coverage`, `/tmp`, `/gen-examples`, `/packages/react-on-rails/lib`, `/node_modules`, and generated directories from IDE indexing to prevent slowdowns

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-16T03:39:07.980Z
Learning: For infrastructure/config changes, comprehensively test locally using grep to find affected files, test build pipeline, run relevant specs, and lint everything before pushing

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1875
File: lib/react_on_rails/utils.rb:112-124
Timestamp: 2025-10-23T17:22:01.074Z
Learning: In React on Rails, when Pro is installed but not licensed, the intended behavior is to raise an error on boot. The `react_on_rails_pro?` method validates licenses and should raise errors early (including during path resolution in methods like `server_bundle?`) to enforce licensing requirements rather than failing later with obscure errors.

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1644
File: node_package/src/clientStartup.ts:18-21
Timestamp: 2025-02-13T16:50:47.848Z
Learning: In the react_on_rails module, the `reactOnRailsPageUnloaded` function in clientStartup.ts is intentionally kept private as it's only used internally as a callback for `onPageUnloaded`.

Learnt from: AbanoubGhadban
Repo: shakacode/react_on_rails PR: 1781
File: node_package/src/ClientSideRenderer.ts:82-95
Timestamp: 2025-09-15T21:24:48.207Z
Learning: In React on Rails, the force_load feature includes both explicit `data-force-load="true"` usage and the ability to hydrate components during the page loading state (`document.readyState === 'loading'`). Both capabilities require a Pro license, so the condition `!railsContext.rorPro && (isComponentForceLoaded || document.readyState === 'loading')` correctly gates both scenarios.

Learnt from: CR
Repo: shakacode/react_on_rails PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-16T03:39:07.980Z
Learning: Applies to CHANGELOG.md : Update `/CHANGELOG.md` for open-source features, bug fixes, breaking changes, and performance improvements

**License Compliance:**

Expand Down Expand Up @@ -741,6 +744,52 @@ license-compliance:
run: ruby script/check-license-compliance.rb
```

## Configuration Files

When directories are moved or renamed during the merger, the following configuration files must be updated to reflect the new structure:

| File | What to Update |
| ------------------------ | ----------------------------------------------- |
| `.github/dependabot.yml` | `directory:` entries for bundler/npm ecosystems |
| `.rubocop.yml` | Exclusion patterns |
| `eslint.config.ts` | Ignore patterns |
| `.prettierignore` | Ignored directories |
| `knip.ts` | Ignore patterns |

### Dependabot Configuration

The `.github/dependabot.yml` file configures automated security updates. It must be kept in sync with the repository structure.

**Current Configuration (Pre-Phase 6):**

```yaml
# Bundler entries
- directory: '/react_on_rails' # Open source gem
- directory: '/react_on_rails_pro' # Pro gem

# NPM entries
- directory: '/' # Root pnpm workspace
- directory: '/spec/react_on_rails/dummy-for-generators' # Yarn-based generator dummy
```

**Final Configuration (Post-Phase 6):**

```yaml
# Bundler entries
- directory: '/' # Root now contains both gemspecs

# NPM entries (unchanged)
- directory: '/'
- directory: '/spec/react_on_rails/dummy-for-generators'
```

**When to Update dependabot.yml:**

- When Gemfile locations change
- When package.json files are added/moved/removed
- When new workspaces are added
- When directories containing lock files are restructured

## Risk Management

### High-Risk Phases
Expand Down
Loading