Dependabot automatic review #774
Conversation
pylipp
left a comment
pylipp
left a comment
There was a problem hiding this comment.
curious how the copilot review turns out :)
| run: | | ||
| git fetch origin ${{ github.event.pull_request.base.ref }} | ||
| echo "Getting diff between base and head..." | ||
| git diff origin/${{ github.event.pull_request.base.ref }}...HEAD > pr_diff.txt |
There was a problem hiding this comment.
Seems like the output of this step isn't used anywhere, instead detailed diffs and changed files are directly searched for in the analyze-step below.
| Based on the dropapp codebase, please test: | ||
| 1. **PHP Syntax Check**: \`vendor/bin/parallel-lint --exclude vendor .\` | ||
| 2. **Code Formatting**: \`php vendor/friendsofphp/php-cs-fixer/php-cs-fixer fix . --dry-run --rules @PhpCsFixer\` |
There was a problem hiding this comment.
in CI and acc. to the readme, we don't use --rules @PhpCsFixer
| - [ ] **Code Compatibility**: Does our codebase need updates to work with new versions? | ||
| - [ ] **Security**: Are there security fixes in these updates? | ||
| - [ ] **Testing**: Do we need to update or add tests? | ||
| - [ ] **Configuration**: Are there new configuration requirements? |
There was a problem hiding this comment.
While I find the questions in line 103 more precise, it might be okay to leave this checklist for a better Copilot workflow
| - "*" | ||
| update-types: | ||
| - "major" | ||
| # Replace old PRs when newer versions are available |
There was a problem hiding this comment.
feels like this comment belongs to line 26 rather
| update-types: | ||
| - "minor" | ||
| - "patch" | ||
| composer-major: |
There was a problem hiding this comment.
maybe for major changes it's easier to have them on separate PRs?
On the other hand, there might not be many major updates in parallel.
✅ Changes Made
Bundled Updates:
Created two groups:
composer-dependencies: Bundles all minor and patch updates together
composer-major: Groups major version updates separately
Supersede Old PRs:
Added versioning-strategy: auto which ensures Dependabot automatically supersedes old PRs when newer versions are available
This means if a PR for version 1.2.0 is open and 1.2.1 becomes available, the old PR will be replaced
2. Created Automated Copilot Review Workflow (dependabot-copilot-review.yml)
This workflow automatically:
On Every Dependabot PR:
✅ Analyzes what files changed
✅ Shows composer.json diffs
✅ Creates a comprehensive review request comment
✅ Tags the PR with dependencies and needs-copilot-review labels
✅ Mentions @github-copilot with specific questions about:
Impact on the dropapp codebase
Required code changes
Risk assessment
Compatibility with PHP 8.2+, Smarty, Auth0, MySQL
Testing strategy
Provides Testing Checklist:
PHP syntax validation
Code formatting checks
Application startup verification
Database connectivity tests
Basic functionality tests
📋 What Happens Now
When Dependabot creates a PR:
Bundled updates - Multiple dependency updates will be grouped into a single PR (separate PRs for major vs minor/patch)
Auto-supersede - If a new version comes out, the old PR is automatically closed and replaced
Automated review request - GitHub Copilot is automatically tagged with a detailed analysis request
Labels added - PR is tagged for easy filtering
🎯 Benefits
Fewer PRs to manage - Updates are bundled together
Always up-to-date - Old PRs are replaced automatically
AI-powered reviews - Copilot analyzes impact before you merge
Consistent testing - Every PR gets the same thorough review checklist
The workflow will trigger on the next Dependabot PR!