Routine maintenance 2026-06#87
Conversation
Replace multi-ecosystem-groups format with per-ecosystem groups.security (applies-to: security-updates). Add npm ecosystem. Remove separator: '-' dead config. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The maintenance pass landed Ruby/workflow updates but missed the npm → pnpm swap that BE repos with `package.json` + `package-lock.json` now get during maintenance (per the agent's BE-pnpm-migration rule). - Add `"packageManager": "pnpm@11.5.1"` to package.json. - Convert `package-lock.json` → `pnpm-lock.yaml` via `pnpm import`. - Drop the `--ignore-path=".gitignore"` flag — prettier 3 already reads `.gitignore` + `.prettierignore` by default, and the explicit flag was suppressing `.prettierignore`. - Drop the `-- --check` separator from scripts; pnpm passes trailing args directly to the script. - Replace `npm run` → `pnpm run` in Rakefile + package.json scripts. - Create `.prettierignore` listing `pnpm-lock.yaml` so prettier doesn't fight the lockfile format. pnpm v11+ default `minimumReleaseAge: 1440` (24h) now gives Dependabot a security cooldown on the npm side, mirroring Bundler 4.0.13's. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Commit e5b253b completed the npm → pnpm migration in the repo (deleted package-lock.json, added pnpm-lock.yaml, set packageManager=pnpm@11.5.1) but the lint job in build.yml still ran `npm ci && npm run lint`, which now fails with EUSAGE because the lockfile no longer exists. Add pnpm/action-setup, point setup-node's cache at pnpm, and swap the prettier step over. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
| schedule: | ||
| interval: 'daily' | ||
| open-pull-requests-limit: 0 | ||
| groups: |
There was a problem hiding this comment.
maybe
| groups: | |
| groups: | |
| all: | |
| patterns: | |
| - '*' |
so that all github actioons update get into one
There was a problem hiding this comment.
Good call out — but I think the current shape already does what you want, with one caveat. The block has open-pull-requests-limit: 0, which suppresses version updates entirely. The group security with applies-to: security-updates is what actually batches the security updates into one PR.
If we drop applies-to: security-updates, the default scope becomes version-updates — which limit: 0 already disables — so the group config silently no-ops, and security updates would land ungrouped (one PR per CVE). Functionally a small regression.
If we want to re-enable batched version updates for github-actions specifically (e.g. raise the limit, add an all group), happy to do that — but it deviates from the security-only convention we've standardized across ivx repos (matches the bundler + npm blocks above), so I'd want to align org-wide first.
Leaving the current shape for now. Resolving as-is — let me know if you want the broader change.
johannesluedke
left a comment
johannesluedke
left a comment
There was a problem hiding this comment.
let's reflect the update to pnpm in CLAUDE.md
Stack now lists pnpm v11+ (pinned via package.json#packageManager) and calls out that Node tooling is dev-only (Prettier on Ruby files). Common commands swap `npm install` / `npm run lint` for `pnpm install --frozen-lockfile` / `pnpm run lint` / `pnpm run format`. Addresses review feedback from @johannesluedke. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 participants
Summary
Test plan
🤖 Generated with Claude Code