Extend Dependabot workflow to auto-fix build, lint, and test failures

[umair-ably]

Summary

• Adds build, lint, and test steps to the Dependabot workflow so Claude can diagnose and fix failures from dependency bumps (e.g. React 18→19 in fix(deps): bump the all-dependencies group across 1 directory with 9 updates #308)
• Checks PR author instead of triggering actor so the workflow re-runs after our bot pushes fixes (not just on the initial Dependabot push)
• Limits to 2 successful runs per branch to prevent infinite loops
• Job always runs (no job-level if) so the PR status shows green instead of "skipped"

Test plan

• Merge this PR
• Comment @dependabot recreate on fix(deps): bump the all-dependencies group across 1 directory with 9 updates #308
• Verify the workflow detects test failures and invokes Claude to fix them

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Apr 15, 2026 0:59am

[claude-code-ably-assistant]

Walkthrough

This PR extends the Dependabot lockfile workflow to also run build, lint, and unit tests after regenerating the lockfile, so Claude can diagnose and fix failures introduced by dependency bumps (e.g. the React 18→19 breakage in #308). It also replaces the job-level if: github.actor == 'dependabot[bot]' condition with an explicit guard step that checks the PR author (ensuring the workflow re-runs after the bot pushes fixes) and adds a loop-prevention cap of 2 successful runs per branch.

Changes

Area	Files	Summary
Config (CI)	.github/workflows/dependabot-lockfile.yml	Adds guard step for author check + loop prevention; adds if: steps.guard.outputs.skip != 'true' to all existing steps; adds pnpm --filter @ably/react-web-cli test to the test step; fixes pipefail propagation through tee

Review Notes

• Behavioral change — trigger condition: The job-level if: github.actor == 'dependabot[bot]' is removed. The job now always runs (shows green instead of "skipped"), with guard logic inside the first step. This is intentional — "skipped" jobs leave ambiguous PR status.
• New test target: The test step now also runs pnpm --filter @ably/react-web-cli test, covering the React web CLI package. Reviewers should verify this filter path is correct for the monorepo layout.
• Loop prevention logic: Uses gh run list --json conclusion to count prior success runs on the branch (cap: 2). Worth confirming this count is scoped correctly — gh run list defaults to recent runs; if the branch has old successful runs from a prior Dependabot bump this cap could trigger prematurely.
• No new dependencies — workflow-only change, no package.json or lockfile impact.
• No migration/deployment steps required.

[claude-code-ably-assistant]

PR Review summary - see below for details.

[claude-code-ably-assistant]

PR Review

Overview: Moves the Dependabot guard from a job-level if condition to a step-based check against the PR author (not triggering actor), so the workflow re-runs after the bot pushes fix commits. Adds loop-prevention (max 2 successes) and extends tests to include the React web CLI package.

Bug to fix: gh run list without --limit

gh run list defaults to 20 most recent runs. If there are >20 runs on the branch, the success count is underestimated and the loop cap fails to enforce. Add --limit 30 to the command.

Verify the app/dependabot author format

gh pr view with --json author queries GraphQL, where bots use app/ format (vs name[bot] in REST). So app/dependabot is likely correct - but confirm against a real Dependabot PR before merging. If wrong, the guard always skips and the workflow never runs for Dependabot PRs.

Everything else is correct:

• Security: guard step uses only github.token (no secrets). Checkout of PR head is still gated behind the skip guard - non-Dependabot PRs never reach it.
• Capture error output and Fix issues with Claude are implicitly safe: they depend on needs-fix output, which itself has the skip guard.
• Test exit code aggregation (failed=0 / || failed=1 / exit failed) correctly handles multiple test commands.
• Lint/test gating on build success is correct.

[sacOO7]

LGTM

[sacOO7]

LGTM