Skip to content

refactor(dependabot): scope skill to scan-only workflow v1.4.0 #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
vnz merged 3 commits into from
Jan 26, 2026
Merged

refactor(dependabot): scope skill to scan-only workflow v1.4.0 #11

vnz merged 3 commits into from
Jan 26, 2026

Conversation

@vnz
Copy link
Owner

@vnz vnz commented Jan 26, 2026
edited
Loading

Summary

  • Removes PR creation workflow sections from dependabot skill (~70 lines net)
  • Keeps scan-and-report focus; users can request PRs separately if needed
  • Consolidates redundant examples into reference file delegation

Changes

  • Remove Section 7: "Offer PR Creation"
  • Remove Section 8: "Apply Updates and Create PR(s)"
  • Simplify Section 2: replace inline ecosystem examples with generic pattern + reference delegation
  • Keep Important Notes section (operational guidance applies to scanning too)
  • Update intro to remove "optionally create PRs"
  • Bump version: 1.3.0 → 1.4.0

Rationale

The skill was doing too much — scanning AND creating PRs. By scoping to scan-only:

  1. Reduces skill complexity and token usage
  2. Claude can still create PRs on request (it doesn't need skill instructions for git/gh operations)
  3. Follows single-responsibility principle

Files Modified

  • plugins/dependabot/skills/dependabot/SKILL.md — core skill refactor
  • plugins/dependabot/.claude-plugin/plugin.json — version bump
  • .claude-plugin/marketplace.json — version bump

Verification

  • SKILL.md reads cleanly (116 lines, down from 189)
  • Plugin-validator agent confirms valid structure
  • Skill-reviewer agent pass with minor suggestions applied
  • Pre-commit hooks pass

🤖 Generated with Claude Code

@vnz @claude
refactor(dependabot): scope skill to scan-only workflow v1.4.0
b34dda1 
Remove PR creation workflow sections (7 & 8) from skill definition,
keeping the focus on dependency scanning and update reporting. Users
can still ask Claude to create PRs after seeing scan results.

Changes:
- Remove "Offer PR Creation" and "Apply Updates" sections (~75 lines)
- Remove "Important Notes" section (now redundant)
- Add "Next steps" hint pointing users to PR creation on request
- Update intro description to remove "optionally create PRs"
- Bump version: 1.3.0 → 1.4.0

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vnz vnz self-assigned this Jan 26, 2026
@gemini-code-assist
Copy link

gemini-code-assist bot commented Jan 26, 2026

Summary of Changes

Hello @vnz, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request streamlines the Dependabot skill by narrowing its functionality to a scan-only workflow. The change aligns the skill with the single-responsibility principle, ensuring it focuses purely on identifying dependency updates without handling the subsequent pull request creation process. This reduces the skill's internal complexity and token usage, while still allowing users to initiate PRs through separate requests.

Highlights

  • Skill Scope Refinement: The Dependabot skill has been refactored to focus solely on scanning for dependency updates, removing its previous capability to offer and create pull requests.
  • Code Reduction: Approximately 75 lines of code related to PR creation workflows have been removed from the SKILL.md file, significantly reducing the skill's complexity.
  • User Guidance: A new 'Next steps' hint has been added to guide users on how to request PR creation separately after updates are identified.
  • Version Bump: The Dependabot plugin version has been updated from 1.3.0 to 1.4.0 across relevant configuration files.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 26, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively simplifies the dependabot skill by removing the pull request creation logic, adhering to the single-responsibility principle. The changes are clear and well-justified in the description. The version numbers have been correctly updated in all relevant files. I have one suggestion regarding the SKILL.md file to improve the clarity of the instructions for the language model, ensuring it provides the 'Next steps' hint only when appropriate.

vnz and others added 2 commits January 26, 2026 17:46
@vnz @claude
docs(dependabot): apply skill review feedback
6379c04 
- Remove "Next steps" hint (let users discover PR creation naturally)
- Consolidate Section 2 examples into reference file delegation
- Keep one inline example for quick context

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vnz @claude
docs(dependabot): restore Important Notes section
1327285 
Operational guidance applies to scan workflow too:
- Token handling (reinforces Section 4)
- Private registry edge cases
- Error resilience across ecosystems

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vnz vnz merged commit dd96716 into main Jan 26, 2026
1 check passed
@vnz vnz deleted the refactor/dependabot-scan-only branch January 26, 2026 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@vnz vnz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vnz