From 4228044d2e92c9f7195950dc2be3fd52379d06bb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 17:59:19 +0000 Subject: [PATCH 1/6] chore: plan dependabot automation updates Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/22cdff67-ac95-4d66-957d-beaae2784a53 --- pnpm-lock.yaml | 152 ++++++++++++++++++++++++++----------------------- 1 file changed, 82 insertions(+), 70 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 65abe20..7fb05cd 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -115,8 +115,8 @@ importers: version: 4.5.7(@types/react@19.2.14)(react@19.2.4) devDependencies: '@types/node': - specifier: ^20.17.12 - version: 20.19.37 + specifier: 20.17.12 + version: 20.17.12 '@types/react': specifier: ^19.0.0 version: 19.2.14 @@ -2135,8 +2135,8 @@ packages: '@napi-rs/wasm-runtime@0.2.12': resolution: {integrity: sha512-ZVWUcfwY4E/yPitQJl481FjFo3K22D6qF0DuFH6Y/nbnE11GY5uguDxZMGXPQ8WQ0128MXQD7TnfHyK4oWoIJQ==} - '@next/env@14.2.18': - resolution: {integrity: sha512-2vWLOUwIPgoqMJKG6dt35fVXVhgM09tw4tK3/Q34GFXDrfiHlG7iS33VA4ggnjWxjiz9KV5xzfsQzJX6vGAekA==} + '@next/env@14.2.35': + resolution: {integrity: sha512-DuhvCtj4t9Gwrx80dmz2F4t/zKQ4ktN8WrMwOuVzkJfBilwAwGr6v16M5eI8yCuZ63H9TTuEU09Iu2HqkzFPVQ==} '@next/env@15.2.4': resolution: {integrity: sha512-+SFtMgoiYP3WoSswuNmxJOCwi06TdWE733D+WPjpXIe4LXGULwEaofiiAy6kbS0+XjM5xF5n3lKuBwN2SnqD9g==} @@ -2144,8 +2144,8 @@ packages: '@next/eslint-plugin-next@14.2.35': resolution: {integrity: sha512-Jw9A3ICz2183qSsqwi7fgq4SBPiNfmOLmTPXKvlnzstUwyvBrtySiY+8RXJweNAs9KThb1+bYhZh9XWcNOr2zQ==} - '@next/swc-darwin-arm64@14.2.18': - resolution: {integrity: sha512-tOBlDHCjGdyLf0ube/rDUs6VtwNOajaWV+5FV/ajPgrvHeisllEdymY/oDgv2cx561+gJksfMUtqf8crug7sbA==} + '@next/swc-darwin-arm64@14.2.33': + resolution: {integrity: sha512-HqYnb6pxlsshoSTubdXKu15g3iivcbsMXg4bYpjL2iS/V6aQot+iyF4BUc2qA/J/n55YtvE4PHMKWBKGCF/+wA==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] @@ -2156,8 +2156,8 @@ packages: cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@14.2.18': - resolution: {integrity: sha512-uJCEjutt5VeJ30jjrHV1VIHCsbMYnEqytQgvREx+DjURd/fmKy15NaVK4aR/u98S1LGTnjq35lRTnRyygglxoA==} + '@next/swc-darwin-x64@14.2.33': + resolution: {integrity: sha512-8HGBeAE5rX3jzKvF593XTTFg3gxeU4f+UWnswa6JPhzaR6+zblO5+fjltJWIZc4aUalqTclvN2QtTC37LxvZAA==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] @@ -2168,8 +2168,8 @@ packages: cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@14.2.18': - resolution: {integrity: sha512-IL6rU8vnBB+BAm6YSWZewc+qvdL1EaA+VhLQ6tlUc0xp+kkdxQrVqAnh8Zek1ccKHlTDFRyAft0e60gteYmQ4A==} + '@next/swc-linux-arm64-gnu@14.2.33': + resolution: {integrity: sha512-JXMBka6lNNmqbkvcTtaX8Gu5by9547bukHQvPoLe9VRBx1gHwzf5tdt4AaezW85HAB3pikcvyqBToRTDA4DeLw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -2180,8 +2180,8 @@ packages: cpu: [arm64] os: [linux] - '@next/swc-linux-arm64-musl@14.2.18': - resolution: {integrity: sha512-RCaENbIZqKKqTlL8KNd+AZV/yAdCsovblOpYFp0OJ7ZxgLNbV5w23CUU1G5On+0fgafrsGcW+GdMKdFjaRwyYA==} + '@next/swc-linux-arm64-musl@14.2.33': + resolution: {integrity: sha512-Bm+QulsAItD/x6Ih8wGIMfRJy4G73tu1HJsrccPW6AfqdZd0Sfm5Imhgkgq2+kly065rYMnCOxTBvmvFY1BKfg==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -2192,8 +2192,8 @@ packages: cpu: [arm64] os: [linux] - '@next/swc-linux-x64-gnu@14.2.18': - resolution: {integrity: sha512-3kmv8DlyhPRCEBM1Vavn8NjyXtMeQ49ID0Olr/Sut7pgzaQTo4h01S7Z8YNE0VtbowyuAL26ibcz0ka6xCTH5g==} + '@next/swc-linux-x64-gnu@14.2.33': + resolution: {integrity: sha512-FnFn+ZBgsVMbGDsTqo8zsnRzydvsGV8vfiWwUo1LD8FTmPTdV+otGSWKc4LJec0oSexFnCYVO4hX8P8qQKaSlg==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -2204,8 +2204,8 @@ packages: cpu: [x64] os: [linux] - '@next/swc-linux-x64-musl@14.2.18': - resolution: {integrity: sha512-mliTfa8seVSpTbVEcKEXGjC18+TDII8ykW4a36au97spm9XMPqQTpdGPNBJ9RySSFw9/hLuaCMByluQIAnkzlw==} + '@next/swc-linux-x64-musl@14.2.33': + resolution: {integrity: sha512-345tsIWMzoXaQndUTDv1qypDRiebFxGYx9pYkhwY4hBRaOLt8UGfiWKr9FSSHs25dFIf8ZqIFaPdy5MljdoawA==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -2216,8 +2216,8 @@ packages: cpu: [x64] os: [linux] - '@next/swc-win32-arm64-msvc@14.2.18': - resolution: {integrity: sha512-J5g0UFPbAjKYmqS3Cy7l2fetFmWMY9Oao32eUsBPYohts26BdrMUyfCJnZFQkX9npYaHNDOWqZ6uV9hSDPw9NA==} + '@next/swc-win32-arm64-msvc@14.2.33': + resolution: {integrity: sha512-nscpt0G6UCTkrT2ppnJnFsYbPDQwmum4GNXYTeoTIdsmMydSKFz9Iny2jpaRupTb+Wl298+Rh82WKzt9LCcqSQ==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] @@ -2228,14 +2228,14 @@ packages: cpu: [arm64] os: [win32] - '@next/swc-win32-ia32-msvc@14.2.18': - resolution: {integrity: sha512-Ynxuk4ZgIpdcN7d16ivJdjsDG1+3hTvK24Pp8DiDmIa2+A4CfhJSEHHVndCHok6rnLUzAZD+/UOKESQgTsAZGg==} + '@next/swc-win32-ia32-msvc@14.2.33': + resolution: {integrity: sha512-pc9LpGNKhJ0dXQhZ5QMmYxtARwwmWLpeocFmVG5Z0DzWq5Uf0izcI8tLc+qOpqxO1PWqZ5A7J1blrUIKrIFc7Q==} engines: {node: '>= 10'} cpu: [ia32] os: [win32] - '@next/swc-win32-x64-msvc@14.2.18': - resolution: {integrity: sha512-dtRGMhiU9TN5nyhwzce+7c/4CCeykYS+ipY/4mIrGzJ71+7zNo55ZxCB7cAVuNqdwtYniFNR2c9OFQ6UdFIMcg==} + '@next/swc-win32-x64-msvc@14.2.33': + resolution: {integrity: sha512-nOjfZMy8B94MdisuzZo9/57xuFVLHJaDj5e/xrduJp9CV2/HrfxTRH2fbyLe+K9QT41WBLUd4iXX3R7jBp0EUg==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -3565,6 +3565,9 @@ packages: '@types/node@20.10.6': resolution: {integrity: sha512-Vac8H+NlRNNlAmDfGUP7b5h/KA+AtWIzuXy0E6OyP8f1tCLYAtPvKRRDJjAPqhpCb0t6U2j7/xqAuLEebW2kiw==} + '@types/node@20.17.12': + resolution: {integrity: sha512-vo/wmBgMIiEA23A/knMfn/cf37VnuF52nZh5ZoW0GWt4e4sxNquibrMRJ7UQsA06+MBx9r/H1jsI9grYjQCQlw==} + '@types/node@20.19.37': resolution: {integrity: sha512-8kzdPJ3FsNsVIurqBs7oodNnCEVbni9yUEkaHbgptDACOPW04jimGagZ51E6+lXUwJjgnBw+hyko/lkFWCldqw==} @@ -7420,10 +7423,9 @@ packages: next-tick@1.1.0: resolution: {integrity: sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==} - next@14.2.18: - resolution: {integrity: sha512-H9qbjDuGivUDEnK6wa+p2XKO+iMzgVgyr9Zp/4Iv29lKa+DYaxJGjOeEA+5VOvJh/M7HLiskehInSa0cWxVXUw==} + next@14.2.35: + resolution: {integrity: sha512-KhYd2Hjt/O1/1aZVX3dCwGXM1QmOV4eNM2UTacK5gipDdPN/oHHK/4oVGy7X8GMfPMsUTUEmGlsy0EY1YGAkig==} engines: {node: '>=18.17.0'} - deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details. hasBin: true peerDependencies: '@opentelemetry/api': ^1.1.0 @@ -9367,6 +9369,9 @@ packages: undici-types@5.26.5: resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==} + undici-types@6.19.8: + resolution: {integrity: sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==} + undici-types@6.21.0: resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==} @@ -9578,6 +9583,7 @@ packages: uuid@7.0.3: resolution: {integrity: sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg==} + deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). hasBin: true uuid@8.3.2: @@ -12380,14 +12386,14 @@ snapshots: dependencies: '@jest/fake-timers': 29.7.0 '@jest/types': 29.6.3 - '@types/node': 20.19.37 + '@types/node': 20.17.12 jest-mock: 29.7.0 '@jest/fake-timers@29.7.0': dependencies: '@jest/types': 29.6.3 '@sinonjs/fake-timers': 10.3.0 - '@types/node': 20.19.37 + '@types/node': 20.17.12 jest-message-util: 29.7.0 jest-mock: 29.7.0 jest-util: 29.7.0 @@ -12400,7 +12406,7 @@ snapshots: dependencies: '@types/istanbul-lib-coverage': 2.0.6 '@types/istanbul-reports': 3.0.4 - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/yargs': 15.0.20 chalk: 4.1.2 @@ -12409,7 +12415,7 @@ snapshots: '@jest/schemas': 29.6.3 '@types/istanbul-lib-coverage': 2.0.6 '@types/istanbul-reports': 3.0.4 - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/yargs': 17.0.35 chalk: 4.1.2 @@ -12655,7 +12661,7 @@ snapshots: '@tybys/wasm-util': 0.10.1 optional: true - '@next/env@14.2.18': {} + '@next/env@14.2.35': {} '@next/env@15.2.4': {} @@ -12663,52 +12669,52 @@ snapshots: dependencies: glob: 10.3.10 - '@next/swc-darwin-arm64@14.2.18': + '@next/swc-darwin-arm64@14.2.33': optional: true '@next/swc-darwin-arm64@15.2.4': optional: true - '@next/swc-darwin-x64@14.2.18': + '@next/swc-darwin-x64@14.2.33': optional: true '@next/swc-darwin-x64@15.2.4': optional: true - '@next/swc-linux-arm64-gnu@14.2.18': + '@next/swc-linux-arm64-gnu@14.2.33': optional: true '@next/swc-linux-arm64-gnu@15.2.4': optional: true - '@next/swc-linux-arm64-musl@14.2.18': + '@next/swc-linux-arm64-musl@14.2.33': optional: true '@next/swc-linux-arm64-musl@15.2.4': optional: true - '@next/swc-linux-x64-gnu@14.2.18': + '@next/swc-linux-x64-gnu@14.2.33': optional: true '@next/swc-linux-x64-gnu@15.2.4': optional: true - '@next/swc-linux-x64-musl@14.2.18': + '@next/swc-linux-x64-musl@14.2.33': optional: true '@next/swc-linux-x64-musl@15.2.4': optional: true - '@next/swc-win32-arm64-msvc@14.2.18': + '@next/swc-win32-arm64-msvc@14.2.33': optional: true '@next/swc-win32-arm64-msvc@15.2.4': optional: true - '@next/swc-win32-ia32-msvc@14.2.18': + '@next/swc-win32-ia32-msvc@14.2.33': optional: true - '@next/swc-win32-x64-msvc@14.2.18': + '@next/swc-win32-x64-msvc@14.2.33': optional: true '@next/swc-win32-x64-msvc@15.2.4': @@ -14809,24 +14815,24 @@ snapshots: '@types/bcrypt@5.0.2': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/bcryptjs@2.4.6': {} '@types/body-parser@1.19.6': dependencies: '@types/connect': 3.4.38 - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/connect@3.4.38': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/cookie@0.4.1': {} '@types/cors@2.8.19': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/d3-array@3.2.2': {} @@ -14860,7 +14866,7 @@ snapshots: '@types/express-serve-static-core@4.19.8': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/qs': 6.14.0 '@types/range-parser': 1.2.7 '@types/send': 1.2.1 @@ -14895,7 +14901,7 @@ snapshots: '@types/jsonwebtoken@9.0.10': dependencies: '@types/ms': 2.1.0 - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/linkify-it@5.0.0': {} @@ -14922,6 +14928,10 @@ snapshots: dependencies: undici-types: 5.26.5 + '@types/node@20.17.12': + dependencies: + undici-types: 6.19.8 + '@types/node@20.19.37': dependencies: undici-types: 6.21.0 @@ -14929,13 +14939,13 @@ snapshots: '@types/nodemailer@6.4.21': dependencies: '@aws-sdk/client-ses': 3.975.0 - '@types/node': 20.19.37 + '@types/node': 20.17.12 transitivePeerDependencies: - aws-crt '@types/pg@8.16.0': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 pg-protocol: 1.11.0 pg-types: 2.2.0 @@ -14967,16 +14977,16 @@ snapshots: '@types/send@0.17.6': dependencies: '@types/mime': 1.3.5 - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/send@1.2.1': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/serve-static@1.15.10': dependencies: '@types/http-errors': 2.0.5 - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/send': 0.17.6 '@types/stack-utils@2.0.3': {} @@ -14993,11 +15003,11 @@ snapshots: '@types/ws@7.4.7': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/ws@8.18.1': dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 '@types/yargs-parser@21.0.3': {} @@ -16768,7 +16778,7 @@ snapshots: chrome-launcher@0.15.2: dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 escape-string-regexp: 4.0.0 is-wsl: 2.2.0 lighthouse-logger: 1.4.2 @@ -16777,7 +16787,7 @@ snapshots: chromium-edge-launcher@1.0.0: dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 escape-string-regexp: 4.0.0 is-wsl: 2.2.0 lighthouse-logger: 1.4.2 @@ -19034,7 +19044,7 @@ snapshots: '@jest/environment': 29.7.0 '@jest/fake-timers': 29.7.0 '@jest/types': 29.6.3 - '@types/node': 20.19.37 + '@types/node': 20.17.12 jest-mock: 29.7.0 jest-util: 29.7.0 @@ -19055,13 +19065,13 @@ snapshots: jest-mock@29.7.0: dependencies: '@jest/types': 29.6.3 - '@types/node': 20.19.37 + '@types/node': 20.17.12 jest-util: 29.7.0 jest-util@29.7.0: dependencies: '@jest/types': 29.6.3 - '@types/node': 20.19.37 + '@types/node': 20.17.12 chalk: 4.1.2 ci-info: 3.9.0 graceful-fs: 4.2.11 @@ -19078,7 +19088,7 @@ snapshots: jest-worker@29.7.0: dependencies: - '@types/node': 20.19.37 + '@types/node': 20.17.12 jest-util: 29.7.0 merge-stream: 2.0.0 supports-color: 8.1.1 @@ -19896,9 +19906,9 @@ snapshots: next-tick@1.1.0: {} - next@14.2.18(@babel/core@7.28.6)(react-dom@18.2.0(react@18.2.0))(react@18.2.0): + next@14.2.35(@babel/core@7.28.6)(react-dom@18.2.0(react@18.2.0))(react@18.2.0): dependencies: - '@next/env': 14.2.18 + '@next/env': 14.2.35 '@swc/helpers': 0.5.5 busboy: 1.6.0 caniuse-lite: 1.0.30001766 @@ -19908,15 +19918,15 @@ snapshots: react-dom: 18.2.0(react@18.2.0) styled-jsx: 5.1.1(@babel/core@7.28.6)(react@18.2.0) optionalDependencies: - '@next/swc-darwin-arm64': 14.2.18 - '@next/swc-darwin-x64': 14.2.18 - '@next/swc-linux-arm64-gnu': 14.2.18 - '@next/swc-linux-arm64-musl': 14.2.18 - '@next/swc-linux-x64-gnu': 14.2.18 - '@next/swc-linux-x64-musl': 14.2.18 - '@next/swc-win32-arm64-msvc': 14.2.18 - '@next/swc-win32-ia32-msvc': 14.2.18 - '@next/swc-win32-x64-msvc': 14.2.18 + '@next/swc-darwin-arm64': 14.2.33 + '@next/swc-darwin-x64': 14.2.33 + '@next/swc-linux-arm64-gnu': 14.2.33 + '@next/swc-linux-arm64-musl': 14.2.33 + '@next/swc-linux-x64-gnu': 14.2.33 + '@next/swc-linux-x64-musl': 14.2.33 + '@next/swc-win32-arm64-msvc': 14.2.33 + '@next/swc-win32-ia32-msvc': 14.2.33 + '@next/swc-win32-x64-msvc': 14.2.33 transitivePeerDependencies: - '@babel/core' - babel-plugin-macros @@ -20696,7 +20706,7 @@ snapshots: '@protobufjs/path': 1.1.2 '@protobufjs/pool': 1.1.0 '@protobufjs/utf8': 1.1.0 - '@types/node': 20.19.37 + '@types/node': 20.17.12 long: 5.3.2 proxy-addr@2.0.7: @@ -22172,6 +22182,8 @@ snapshots: undici-types@5.26.5: {} + undici-types@6.19.8: {} + undici-types@6.21.0: {} undici-types@7.19.1: {} From 78c3b04414f808737f57e21446d88c5fe10eb709 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 18:00:22 +0000 Subject: [PATCH 2/6] chore: add dependabot automation workflows and ci security scan Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/22cdff67-ac95-4d66-957d-beaae2784a53 --- .github/dependabot.yml | 26 ++++ .github/workflows/ci.yml | 17 +++ .github/workflows/dependabot-automerge.yml | 45 ++++++ pnpm-lock.yaml | 152 ++++++++++----------- 4 files changed, 158 insertions(+), 82 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependabot-automerge.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f7e0e1f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,26 @@ +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + time: "04:00" + timezone: "UTC" + open-pull-requests-limit: 10 + rebase-strategy: "auto" + groups: + production-dependencies: + dependency-type: "production" + update-types: ["patch", "minor"] + development-dependencies: + dependency-type: "development" + update-types: ["patch", "minor"] + major-updates: + dependency-type: "production" + update-types: ["major"] + labels: + - "dependencies" + - "dependabot" + commit-message: + prefix: "chore(deps)" + prefix-development: "chore(deps-dev)" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d68d5e9..2769896 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,10 @@ on: pull_request: push: +permissions: + contents: read + security-events: write + jobs: ci: runs-on: ubuntu-latest @@ -21,6 +25,19 @@ jobs: - name: Install dependencies run: pnpm install --frozen-lockfile + - name: Dependency Security Scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + - name: Install Foundry uses: foundry-rs/foundry-toolchain@v1 with: diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml new file mode 100644 index 0000000..83649dc --- /dev/null +++ b/.github/workflows/dependabot-automerge.yml @@ -0,0 +1,45 @@ +name: Dependabot Auto-Merge & Self-Heal + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: write + pull-requests: write + checks: read + +jobs: + dependabot: + runs-on: ubuntu-latest + if: ${{ github.actor == 'dependabot[bot]' }} + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Fetch metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Auto-approve safe updates + run: gh pr review --approve "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Auto-merge patch & minor + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Flag major updates for review + if: steps.metadata.outputs.update-type == 'version-update:semver-major' + run: gh pr edit "$PR_URL" --add-label "major-update,needs-review" + env: + PR_URL: ${{ github.event.pull_request.html_url }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7fb05cd..65abe20 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -115,8 +115,8 @@ importers: version: 4.5.7(@types/react@19.2.14)(react@19.2.4) devDependencies: '@types/node': - specifier: 20.17.12 - version: 20.17.12 + specifier: ^20.17.12 + version: 20.19.37 '@types/react': specifier: ^19.0.0 version: 19.2.14 @@ -2135,8 +2135,8 @@ packages: '@napi-rs/wasm-runtime@0.2.12': resolution: {integrity: sha512-ZVWUcfwY4E/yPitQJl481FjFo3K22D6qF0DuFH6Y/nbnE11GY5uguDxZMGXPQ8WQ0128MXQD7TnfHyK4oWoIJQ==} - '@next/env@14.2.35': - resolution: {integrity: sha512-DuhvCtj4t9Gwrx80dmz2F4t/zKQ4ktN8WrMwOuVzkJfBilwAwGr6v16M5eI8yCuZ63H9TTuEU09Iu2HqkzFPVQ==} + '@next/env@14.2.18': + resolution: {integrity: sha512-2vWLOUwIPgoqMJKG6dt35fVXVhgM09tw4tK3/Q34GFXDrfiHlG7iS33VA4ggnjWxjiz9KV5xzfsQzJX6vGAekA==} '@next/env@15.2.4': resolution: {integrity: sha512-+SFtMgoiYP3WoSswuNmxJOCwi06TdWE733D+WPjpXIe4LXGULwEaofiiAy6kbS0+XjM5xF5n3lKuBwN2SnqD9g==} @@ -2144,8 +2144,8 @@ packages: '@next/eslint-plugin-next@14.2.35': resolution: {integrity: sha512-Jw9A3ICz2183qSsqwi7fgq4SBPiNfmOLmTPXKvlnzstUwyvBrtySiY+8RXJweNAs9KThb1+bYhZh9XWcNOr2zQ==} - '@next/swc-darwin-arm64@14.2.33': - resolution: {integrity: sha512-HqYnb6pxlsshoSTubdXKu15g3iivcbsMXg4bYpjL2iS/V6aQot+iyF4BUc2qA/J/n55YtvE4PHMKWBKGCF/+wA==} + '@next/swc-darwin-arm64@14.2.18': + resolution: {integrity: sha512-tOBlDHCjGdyLf0ube/rDUs6VtwNOajaWV+5FV/ajPgrvHeisllEdymY/oDgv2cx561+gJksfMUtqf8crug7sbA==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] @@ -2156,8 +2156,8 @@ packages: cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@14.2.33': - resolution: {integrity: sha512-8HGBeAE5rX3jzKvF593XTTFg3gxeU4f+UWnswa6JPhzaR6+zblO5+fjltJWIZc4aUalqTclvN2QtTC37LxvZAA==} + '@next/swc-darwin-x64@14.2.18': + resolution: {integrity: sha512-uJCEjutt5VeJ30jjrHV1VIHCsbMYnEqytQgvREx+DjURd/fmKy15NaVK4aR/u98S1LGTnjq35lRTnRyygglxoA==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] @@ -2168,8 +2168,8 @@ packages: cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@14.2.33': - resolution: {integrity: sha512-JXMBka6lNNmqbkvcTtaX8Gu5by9547bukHQvPoLe9VRBx1gHwzf5tdt4AaezW85HAB3pikcvyqBToRTDA4DeLw==} + '@next/swc-linux-arm64-gnu@14.2.18': + resolution: {integrity: sha512-IL6rU8vnBB+BAm6YSWZewc+qvdL1EaA+VhLQ6tlUc0xp+kkdxQrVqAnh8Zek1ccKHlTDFRyAft0e60gteYmQ4A==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -2180,8 +2180,8 @@ packages: cpu: [arm64] os: [linux] - '@next/swc-linux-arm64-musl@14.2.33': - resolution: {integrity: sha512-Bm+QulsAItD/x6Ih8wGIMfRJy4G73tu1HJsrccPW6AfqdZd0Sfm5Imhgkgq2+kly065rYMnCOxTBvmvFY1BKfg==} + '@next/swc-linux-arm64-musl@14.2.18': + resolution: {integrity: sha512-RCaENbIZqKKqTlL8KNd+AZV/yAdCsovblOpYFp0OJ7ZxgLNbV5w23CUU1G5On+0fgafrsGcW+GdMKdFjaRwyYA==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] @@ -2192,8 +2192,8 @@ packages: cpu: [arm64] os: [linux] - '@next/swc-linux-x64-gnu@14.2.33': - resolution: {integrity: sha512-FnFn+ZBgsVMbGDsTqo8zsnRzydvsGV8vfiWwUo1LD8FTmPTdV+otGSWKc4LJec0oSexFnCYVO4hX8P8qQKaSlg==} + '@next/swc-linux-x64-gnu@14.2.18': + resolution: {integrity: sha512-3kmv8DlyhPRCEBM1Vavn8NjyXtMeQ49ID0Olr/Sut7pgzaQTo4h01S7Z8YNE0VtbowyuAL26ibcz0ka6xCTH5g==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -2204,8 +2204,8 @@ packages: cpu: [x64] os: [linux] - '@next/swc-linux-x64-musl@14.2.33': - resolution: {integrity: sha512-345tsIWMzoXaQndUTDv1qypDRiebFxGYx9pYkhwY4hBRaOLt8UGfiWKr9FSSHs25dFIf8ZqIFaPdy5MljdoawA==} + '@next/swc-linux-x64-musl@14.2.18': + resolution: {integrity: sha512-mliTfa8seVSpTbVEcKEXGjC18+TDII8ykW4a36au97spm9XMPqQTpdGPNBJ9RySSFw9/hLuaCMByluQIAnkzlw==} engines: {node: '>= 10'} cpu: [x64] os: [linux] @@ -2216,8 +2216,8 @@ packages: cpu: [x64] os: [linux] - '@next/swc-win32-arm64-msvc@14.2.33': - resolution: {integrity: sha512-nscpt0G6UCTkrT2ppnJnFsYbPDQwmum4GNXYTeoTIdsmMydSKFz9Iny2jpaRupTb+Wl298+Rh82WKzt9LCcqSQ==} + '@next/swc-win32-arm64-msvc@14.2.18': + resolution: {integrity: sha512-J5g0UFPbAjKYmqS3Cy7l2fetFmWMY9Oao32eUsBPYohts26BdrMUyfCJnZFQkX9npYaHNDOWqZ6uV9hSDPw9NA==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] @@ -2228,14 +2228,14 @@ packages: cpu: [arm64] os: [win32] - '@next/swc-win32-ia32-msvc@14.2.33': - resolution: {integrity: sha512-pc9LpGNKhJ0dXQhZ5QMmYxtARwwmWLpeocFmVG5Z0DzWq5Uf0izcI8tLc+qOpqxO1PWqZ5A7J1blrUIKrIFc7Q==} + '@next/swc-win32-ia32-msvc@14.2.18': + resolution: {integrity: sha512-Ynxuk4ZgIpdcN7d16ivJdjsDG1+3hTvK24Pp8DiDmIa2+A4CfhJSEHHVndCHok6rnLUzAZD+/UOKESQgTsAZGg==} engines: {node: '>= 10'} cpu: [ia32] os: [win32] - '@next/swc-win32-x64-msvc@14.2.33': - resolution: {integrity: sha512-nOjfZMy8B94MdisuzZo9/57xuFVLHJaDj5e/xrduJp9CV2/HrfxTRH2fbyLe+K9QT41WBLUd4iXX3R7jBp0EUg==} + '@next/swc-win32-x64-msvc@14.2.18': + resolution: {integrity: sha512-dtRGMhiU9TN5nyhwzce+7c/4CCeykYS+ipY/4mIrGzJ71+7zNo55ZxCB7cAVuNqdwtYniFNR2c9OFQ6UdFIMcg==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -3565,9 +3565,6 @@ packages: '@types/node@20.10.6': resolution: {integrity: sha512-Vac8H+NlRNNlAmDfGUP7b5h/KA+AtWIzuXy0E6OyP8f1tCLYAtPvKRRDJjAPqhpCb0t6U2j7/xqAuLEebW2kiw==} - '@types/node@20.17.12': - resolution: {integrity: sha512-vo/wmBgMIiEA23A/knMfn/cf37VnuF52nZh5ZoW0GWt4e4sxNquibrMRJ7UQsA06+MBx9r/H1jsI9grYjQCQlw==} - '@types/node@20.19.37': resolution: {integrity: sha512-8kzdPJ3FsNsVIurqBs7oodNnCEVbni9yUEkaHbgptDACOPW04jimGagZ51E6+lXUwJjgnBw+hyko/lkFWCldqw==} @@ -7423,9 +7420,10 @@ packages: next-tick@1.1.0: resolution: {integrity: sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==} - next@14.2.35: - resolution: {integrity: sha512-KhYd2Hjt/O1/1aZVX3dCwGXM1QmOV4eNM2UTacK5gipDdPN/oHHK/4oVGy7X8GMfPMsUTUEmGlsy0EY1YGAkig==} + next@14.2.18: + resolution: {integrity: sha512-H9qbjDuGivUDEnK6wa+p2XKO+iMzgVgyr9Zp/4Iv29lKa+DYaxJGjOeEA+5VOvJh/M7HLiskehInSa0cWxVXUw==} engines: {node: '>=18.17.0'} + deprecated: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/security-update-2025-12-11 for more details. hasBin: true peerDependencies: '@opentelemetry/api': ^1.1.0 @@ -9369,9 +9367,6 @@ packages: undici-types@5.26.5: resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==} - undici-types@6.19.8: - resolution: {integrity: sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==} - undici-types@6.21.0: resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==} @@ -9583,7 +9578,6 @@ packages: uuid@7.0.3: resolution: {integrity: sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg==} - deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). hasBin: true uuid@8.3.2: @@ -12386,14 +12380,14 @@ snapshots: dependencies: '@jest/fake-timers': 29.7.0 '@jest/types': 29.6.3 - '@types/node': 20.17.12 + '@types/node': 20.19.37 jest-mock: 29.7.0 '@jest/fake-timers@29.7.0': dependencies: '@jest/types': 29.6.3 '@sinonjs/fake-timers': 10.3.0 - '@types/node': 20.17.12 + '@types/node': 20.19.37 jest-message-util: 29.7.0 jest-mock: 29.7.0 jest-util: 29.7.0 @@ -12406,7 +12400,7 @@ snapshots: dependencies: '@types/istanbul-lib-coverage': 2.0.6 '@types/istanbul-reports': 3.0.4 - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/yargs': 15.0.20 chalk: 4.1.2 @@ -12415,7 +12409,7 @@ snapshots: '@jest/schemas': 29.6.3 '@types/istanbul-lib-coverage': 2.0.6 '@types/istanbul-reports': 3.0.4 - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/yargs': 17.0.35 chalk: 4.1.2 @@ -12661,7 +12655,7 @@ snapshots: '@tybys/wasm-util': 0.10.1 optional: true - '@next/env@14.2.35': {} + '@next/env@14.2.18': {} '@next/env@15.2.4': {} @@ -12669,52 +12663,52 @@ snapshots: dependencies: glob: 10.3.10 - '@next/swc-darwin-arm64@14.2.33': + '@next/swc-darwin-arm64@14.2.18': optional: true '@next/swc-darwin-arm64@15.2.4': optional: true - '@next/swc-darwin-x64@14.2.33': + '@next/swc-darwin-x64@14.2.18': optional: true '@next/swc-darwin-x64@15.2.4': optional: true - '@next/swc-linux-arm64-gnu@14.2.33': + '@next/swc-linux-arm64-gnu@14.2.18': optional: true '@next/swc-linux-arm64-gnu@15.2.4': optional: true - '@next/swc-linux-arm64-musl@14.2.33': + '@next/swc-linux-arm64-musl@14.2.18': optional: true '@next/swc-linux-arm64-musl@15.2.4': optional: true - '@next/swc-linux-x64-gnu@14.2.33': + '@next/swc-linux-x64-gnu@14.2.18': optional: true '@next/swc-linux-x64-gnu@15.2.4': optional: true - '@next/swc-linux-x64-musl@14.2.33': + '@next/swc-linux-x64-musl@14.2.18': optional: true '@next/swc-linux-x64-musl@15.2.4': optional: true - '@next/swc-win32-arm64-msvc@14.2.33': + '@next/swc-win32-arm64-msvc@14.2.18': optional: true '@next/swc-win32-arm64-msvc@15.2.4': optional: true - '@next/swc-win32-ia32-msvc@14.2.33': + '@next/swc-win32-ia32-msvc@14.2.18': optional: true - '@next/swc-win32-x64-msvc@14.2.33': + '@next/swc-win32-x64-msvc@14.2.18': optional: true '@next/swc-win32-x64-msvc@15.2.4': @@ -14815,24 +14809,24 @@ snapshots: '@types/bcrypt@5.0.2': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/bcryptjs@2.4.6': {} '@types/body-parser@1.19.6': dependencies: '@types/connect': 3.4.38 - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/connect@3.4.38': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/cookie@0.4.1': {} '@types/cors@2.8.19': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/d3-array@3.2.2': {} @@ -14866,7 +14860,7 @@ snapshots: '@types/express-serve-static-core@4.19.8': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/qs': 6.14.0 '@types/range-parser': 1.2.7 '@types/send': 1.2.1 @@ -14901,7 +14895,7 @@ snapshots: '@types/jsonwebtoken@9.0.10': dependencies: '@types/ms': 2.1.0 - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/linkify-it@5.0.0': {} @@ -14928,10 +14922,6 @@ snapshots: dependencies: undici-types: 5.26.5 - '@types/node@20.17.12': - dependencies: - undici-types: 6.19.8 - '@types/node@20.19.37': dependencies: undici-types: 6.21.0 @@ -14939,13 +14929,13 @@ snapshots: '@types/nodemailer@6.4.21': dependencies: '@aws-sdk/client-ses': 3.975.0 - '@types/node': 20.17.12 + '@types/node': 20.19.37 transitivePeerDependencies: - aws-crt '@types/pg@8.16.0': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 pg-protocol: 1.11.0 pg-types: 2.2.0 @@ -14977,16 +14967,16 @@ snapshots: '@types/send@0.17.6': dependencies: '@types/mime': 1.3.5 - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/send@1.2.1': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/serve-static@1.15.10': dependencies: '@types/http-errors': 2.0.5 - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/send': 0.17.6 '@types/stack-utils@2.0.3': {} @@ -15003,11 +14993,11 @@ snapshots: '@types/ws@7.4.7': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/ws@8.18.1': dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 '@types/yargs-parser@21.0.3': {} @@ -16778,7 +16768,7 @@ snapshots: chrome-launcher@0.15.2: dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 escape-string-regexp: 4.0.0 is-wsl: 2.2.0 lighthouse-logger: 1.4.2 @@ -16787,7 +16777,7 @@ snapshots: chromium-edge-launcher@1.0.0: dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 escape-string-regexp: 4.0.0 is-wsl: 2.2.0 lighthouse-logger: 1.4.2 @@ -19044,7 +19034,7 @@ snapshots: '@jest/environment': 29.7.0 '@jest/fake-timers': 29.7.0 '@jest/types': 29.6.3 - '@types/node': 20.17.12 + '@types/node': 20.19.37 jest-mock: 29.7.0 jest-util: 29.7.0 @@ -19065,13 +19055,13 @@ snapshots: jest-mock@29.7.0: dependencies: '@jest/types': 29.6.3 - '@types/node': 20.17.12 + '@types/node': 20.19.37 jest-util: 29.7.0 jest-util@29.7.0: dependencies: '@jest/types': 29.6.3 - '@types/node': 20.17.12 + '@types/node': 20.19.37 chalk: 4.1.2 ci-info: 3.9.0 graceful-fs: 4.2.11 @@ -19088,7 +19078,7 @@ snapshots: jest-worker@29.7.0: dependencies: - '@types/node': 20.17.12 + '@types/node': 20.19.37 jest-util: 29.7.0 merge-stream: 2.0.0 supports-color: 8.1.1 @@ -19906,9 +19896,9 @@ snapshots: next-tick@1.1.0: {} - next@14.2.35(@babel/core@7.28.6)(react-dom@18.2.0(react@18.2.0))(react@18.2.0): + next@14.2.18(@babel/core@7.28.6)(react-dom@18.2.0(react@18.2.0))(react@18.2.0): dependencies: - '@next/env': 14.2.35 + '@next/env': 14.2.18 '@swc/helpers': 0.5.5 busboy: 1.6.0 caniuse-lite: 1.0.30001766 @@ -19918,15 +19908,15 @@ snapshots: react-dom: 18.2.0(react@18.2.0) styled-jsx: 5.1.1(@babel/core@7.28.6)(react@18.2.0) optionalDependencies: - '@next/swc-darwin-arm64': 14.2.33 - '@next/swc-darwin-x64': 14.2.33 - '@next/swc-linux-arm64-gnu': 14.2.33 - '@next/swc-linux-arm64-musl': 14.2.33 - '@next/swc-linux-x64-gnu': 14.2.33 - '@next/swc-linux-x64-musl': 14.2.33 - '@next/swc-win32-arm64-msvc': 14.2.33 - '@next/swc-win32-ia32-msvc': 14.2.33 - '@next/swc-win32-x64-msvc': 14.2.33 + '@next/swc-darwin-arm64': 14.2.18 + '@next/swc-darwin-x64': 14.2.18 + '@next/swc-linux-arm64-gnu': 14.2.18 + '@next/swc-linux-arm64-musl': 14.2.18 + '@next/swc-linux-x64-gnu': 14.2.18 + '@next/swc-linux-x64-musl': 14.2.18 + '@next/swc-win32-arm64-msvc': 14.2.18 + '@next/swc-win32-ia32-msvc': 14.2.18 + '@next/swc-win32-x64-msvc': 14.2.18 transitivePeerDependencies: - '@babel/core' - babel-plugin-macros @@ -20706,7 +20696,7 @@ snapshots: '@protobufjs/path': 1.1.2 '@protobufjs/pool': 1.1.0 '@protobufjs/utf8': 1.1.0 - '@types/node': 20.17.12 + '@types/node': 20.19.37 long: 5.3.2 proxy-addr@2.0.7: @@ -22182,8 +22172,6 @@ snapshots: undici-types@5.26.5: {} - undici-types@6.19.8: {} - undici-types@6.21.0: {} undici-types@7.19.1: {} From 6c5ca465a536946ee30c9a40b8b27f9c7cf71662 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 18:01:34 +0000 Subject: [PATCH 3/6] chore: harden dependabot and ci automation workflow rules Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/22cdff67-ac95-4d66-957d-beaae2784a53 --- .github/dependabot.yml | 3 +++ .github/workflows/ci.yml | 3 ++- .github/workflows/dependabot-automerge.yml | 1 + 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f7e0e1f..43fc29f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -18,6 +18,9 @@ updates: major-updates: dependency-type: "production" update-types: ["major"] + major-development-updates: + dependency-type: "development" + update-types: ["major"] labels: - "dependencies" - "dependabot" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2769896..7771cd6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: run: pnpm install --frozen-lockfile - name: Dependency Security Scan - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.28.0 with: scan-type: 'fs' ignore-unfixed: true @@ -34,6 +34,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy results + if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 83649dc..b3538c0 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -25,6 +25,7 @@ jobs: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Auto-approve safe updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} From 011647b177d05735792d658817ee7fef1a20368c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 18:04:03 +0000 Subject: [PATCH 4/6] chore(ci): bump trivy action to 0.35.0 Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/22cdff67-ac95-4d66-957d-beaae2784a53 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7771cd6..6062760 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: run: pnpm install --frozen-lockfile - name: Dependency Security Scan - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.35.0 with: scan-type: 'fs' ignore-unfixed: true From 0b67b97864690e2eb42fd6da605b553359f22ab9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 18:05:02 +0000 Subject: [PATCH 5/6] chore(ci): harden dependabot merge gates and sarif upload condition Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/22cdff67-ac95-4d66-957d-beaae2784a53 --- .github/workflows/ci.yml | 2 +- .github/workflows/dependabot-automerge.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6062760..d4c9f08 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy results - if: always() + if: success() || failure() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index b3538c0..67b985d 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -25,14 +25,14 @@ jobs: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Auto-approve safe updates - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + if: (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && github.event.pull_request.mergeable_state == 'clean' run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Auto-merge patch & minor - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + if: (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && github.event.pull_request.mergeable_state == 'clean' run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} From 09183d1d54b76360400aa3f2670a151ae9ad5b41 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 9 May 2026 18:46:58 +0000 Subject: [PATCH 6/6] chore(ci): address PR review feedback on dependabot workflow and action pinning Agent-Logs-Url: https://github.com/CastQuest/castquest-frames/sessions/96fa1fdf-9e20-4a24-97a1-54690ca25e32 --- .github/workflows/ci.yml | 4 ++-- .github/workflows/dependabot-automerge.yml | 12 ++++-------- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d4c9f08..bede4e0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: run: pnpm install --frozen-lockfile - name: Dependency Security Scan - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: 'fs' ignore-unfixed: true @@ -35,7 +35,7 @@ jobs: - name: Upload Trivy results if: success() || failure() - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 with: sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 67b985d..40e6fe4 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -1,7 +1,7 @@ name: Dependabot Auto-Merge & Self-Heal on: - pull_request: + pull_request_target: types: [opened, synchronize, reopened] permissions: @@ -14,10 +14,6 @@ jobs: runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' }} steps: - - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - name: Fetch metadata id: metadata uses: dependabot/fetch-metadata@v2 @@ -25,14 +21,14 @@ jobs: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Auto-approve safe updates - if: (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && github.event.pull_request.mergeable_state == 'clean' + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Auto-merge patch & minor - if: (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor') && github.event.pull_request.mergeable_state == 'clean' + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} @@ -40,7 +36,7 @@ jobs: - name: Flag major updates for review if: steps.metadata.outputs.update-type == 'version-update:semver-major' - run: gh pr edit "$PR_URL" --add-label "major-update,needs-review" + run: gh pr edit "$PR_URL" --add-label "major-update" --add-label "needs-review" env: PR_URL: ${{ github.event.pull_request.html_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}