From b34dda104adf6dcf9b6c466e3ce68c5be464ed87 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 17:40:51 +0100 Subject: [PATCH 1/3] refactor(dependabot): scope skill to scan-only workflow v1.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove PR creation workflow sections (7 & 8) from skill definition, keeping the focus on dependency scanning and update reporting. Users can still ask Claude to create PRs after seeing scan results. Changes: - Remove "Offer PR Creation" and "Apply Updates" sections (~75 lines) - Remove "Important Notes" section (now redundant) - Add "Next steps" hint pointing users to PR creation on request - Update intro description to remove "optionally create PRs" - Bump version: 1.3.0 → 1.4.0 Co-Authored-By: Claude Opus 4.5 --- .claude-plugin/marketplace.json | 2 +- plugins/dependabot/.claude-plugin/plugin.json | 2 +- plugins/dependabot/skills/dependabot/SKILL.md | 78 +------------------ 3 files changed, 4 insertions(+), 78 deletions(-) diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json index 1fd9aaf..67544f5 100644 --- a/.claude-plugin/marketplace.json +++ b/.claude-plugin/marketplace.json @@ -29,7 +29,7 @@ { "name": "dependabot", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", - "version": "1.3.0", + "version": "1.4.0", "source": "./plugins/dependabot", "category": "development", "author": { diff --git a/plugins/dependabot/.claude-plugin/plugin.json b/plugins/dependabot/.claude-plugin/plugin.json index 11f6709..900e6a1 100644 --- a/plugins/dependabot/.claude-plugin/plugin.json +++ b/plugins/dependabot/.claude-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "dependabot", - "version": "1.3.0", + "version": "1.4.0", "description": "Check for dependency updates using Dependabot CLI with auto-detection of package managers", "license": "MIT", "author": { diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index 8dbce6f..24e3c08 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -5,7 +5,7 @@ description: This skill should be used when the user asks to "check dependencies # Dependabot Update Skill -Scan for dependency updates using the official Dependabot CLI and optionally create PRs for found updates. +Scan for dependency updates using the official Dependabot CLI. **Reference files:** - `references/ecosystems.md` - Complete list of supported ecosystems with aliases and detection methods @@ -111,78 +111,4 @@ No updates available. If no updates are found across all ecosystems: > "All dependencies are up-to-date!" -## 7. Offer PR Creation - -If updates were found, ask the user: - -> "Would you like to apply these updates and create a PR?" - -**If yes, and multiple ecosystems have updates, ask about PR strategy:** - -> "How would you like to organize the updates?" -> 1. **One PR per ecosystem** - Separate PRs for npm, terraform, etc. -> 2. **Single combined PR** - All updates in one PR - -## 8. Apply Updates and Create PR(s) - -Based on user's choice: - -### For Each PR to Create: - -1. **Create a feature branch:** - ```bash - # Ensure main is up-to-date before branching - git checkout main && git pull origin main - - # If branch already exists from a previous run, delete it first: - git branch -D dependabot/-updates 2>/dev/null || true - - git checkout -b dependabot/-updates - # or for combined: dependabot/all-updates - ``` - -2. **Apply changes manually:** - From the `create_pull_request` JSON events, extract the `updated-dependency-files` array. - Each entry contains: - - `name` - The file path (e.g., `.github/workflows/ci.yml`) - - `content` - The new file content - - `directory` - The directory (usually `/`) - - Use the Edit tool to update each file with the new content, or apply targeted edits - based on the `dependencies` array showing old → new versions. - -3. **Stage and commit changes:** - ```bash - git add - git commit -m "chore(deps): update dependencies - - Updated by Dependabot CLI - - Co-Authored-By: Claude Opus 4.5 " - ``` - -4. **Push and create PR:** - ```bash - git push -u origin dependabot/-updates - gh pr create --title "chore(deps): update dependencies" \ - --body "## Summary - - Dependency updates detected by Dependabot CLI - - ## Updates - - - ## Test plan - - [ ] Verify build passes - - [ ] Verify tests pass - - [ ] Review changelog for breaking changes - - 🤖 Generated with [Claude Code](https://claude.com/claude-code)" - ``` - -5. **Return to original branch** after PR creation. - -## Important Notes - -- Always use `gh auth token` for authentication - never ask for tokens directly -- Some ecosystems may require additional configuration (e.g., private registries) -- If dependabot fails for an ecosystem, report the error and continue with others +> **Next steps:** Ask me to create a PR if you want to apply these updates. From 6379c0440dd3ecc622acad5ccb6cbb38aed1d9e1 Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 17:46:53 +0100 Subject: [PATCH 2/3] docs(dependabot): apply skill review feedback - Remove "Next steps" hint (let users discover PR creation naturally) - Consolidate Section 2 examples into reference file delegation - Keep one inline example for quick context Co-Authored-By: Claude Opus 4.5 --- plugins/dependabot/skills/dependabot/SKILL.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index 24e3c08..1b5669d 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -36,11 +36,9 @@ command -v gh || echo "NOT_FOUND" Analyze the user's trigger phrase: - **"use dependabot"** → Scan ALL detected ecosystems -- **"use dependabot for terraform"** → Scan only `terraform` ecosystem -- **"use dependabot for npm"** → Scan only `npm_and_yarn` ecosystem -- **"use dependabot for github-actions"** or **"use dependabot for actions"** → Scan only `github_actions` ecosystem +- **"use dependabot for \"** → Scan only the specified ecosystem -See `references/ecosystems.md` for the complete alias mapping and detection methods. +Consult `references/ecosystems.md` for the complete alias-to-ecosystem mapping (e.g., "npm" → `npm_and_yarn`, "actions" → `github_actions`). ## 3. Ecosystem Auto-Detection @@ -110,5 +108,3 @@ No updates available. If no updates are found across all ecosystems: > "All dependencies are up-to-date!" - -> **Next steps:** Ask me to create a PR if you want to apply these updates. From 13272852fd124d0e5b1b3646eeb65f26e1d2700f Mon Sep 17 00:00:00 2001 From: vnz <1267662+vnz@users.noreply.github.com> Date: Mon, 26 Jan 2026 17:56:58 +0100 Subject: [PATCH 3/3] docs(dependabot): restore Important Notes section Operational guidance applies to scan workflow too: - Token handling (reinforces Section 4) - Private registry edge cases - Error resilience across ecosystems Co-Authored-By: Claude Opus 4.5 --- plugins/dependabot/skills/dependabot/SKILL.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/plugins/dependabot/skills/dependabot/SKILL.md b/plugins/dependabot/skills/dependabot/SKILL.md index 1b5669d..47cd52e 100644 --- a/plugins/dependabot/skills/dependabot/SKILL.md +++ b/plugins/dependabot/skills/dependabot/SKILL.md @@ -108,3 +108,9 @@ No updates available. If no updates are found across all ecosystems: > "All dependencies are up-to-date!" + +## Important Notes + +- Always use `gh auth token` for authentication — never ask for tokens directly +- Some ecosystems may require additional configuration (e.g., private registries) +- If dependabot fails for an ecosystem, report the error and continue with others