Fix Dependabot workflow guard and add missing test coverage

[umair-ably]

Summary

Fixes multiple issues causing the Dependabot auto-fix workflow to fail silently.

Fixes

• Claude never ran — direct_prompt is not a valid input for claude-code-action@v1. Changed to prompt, which triggers automation mode (no @claude mention needed)
• Guard step crash — gh pr view and gh run list need a git repo but run before checkout. Replaced with github.event.pull_request.user.login (event payload) and gh api (no repo needed)
• Web CLI tests missing — pnpm test:unit only runs root tests, not packages/react-web-cli. Added pnpm --filter @ably/react-web-cli test
• Timeout too low — 15min wasn't enough for build+lint+test+Claude. Bumped to 30min
• Missing permission — added actions: read for the workflow runs API query
• Claude prompt — now includes pnpm --filter @ably/react-web-cli test in verification instructions

Test plan

• Merge this PR
• Comment @dependabot recreate on fix(deps): bump the all-dependencies group in /packages/react-web-cli with 9 updates #326 to test the full flow
• Verify Claude actually executes and attempts to fix the React 18→19 test failures

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cli-web-cli	Ready	Preview, Comment	Apr 15, 2026 1:41pm

[claude-code-ably-assistant]

Walkthrough

This PR fixes a crash in the fix-dependabot workflow where gh pr view and gh run list were invoked before the repo checkout step, causing a fatal: not a git repository error on every Dependabot PR. The fix replaces those git-dependent calls with event payload variables and the gh api REST endpoint, and also fills in missing test coverage for the React web CLI package.

Changes

Area	Files	Summary
Config / CI	.github/workflows/dependabot-lockfile.yml	Fixed guard step crash (pre-checkout), corrected Dependabot author string, added actions: read permission, bumped timeout 15→30 min, added react-web-cli tests, removed dead set -o pipefail, updated Claude verification prompt

Review Notes

• Behavioral change — author check string: The guard comparison changed from "app/dependabot" to "dependabot[bot]". The old string was incorrect (never matched), meaning the guard never actually skipped non-Dependabot PRs. The new string is the correct GitHub login for the Dependabot bot.
• Pre-checkout safety: PR_AUTHOR and HEAD_REF are now injected as env vars from the event payload (github.event.pull_request.*) rather than being fetched via CLI commands — this is the correct pattern for steps that run before actions/checkout.
• gh api for run count: Switching from gh run list to gh api repos/.../actions/workflows/.../runs?branch=…&status=success avoids the git repo requirement. The --jq '.total_count' extraction relies on the GitHub API's total_count field, which counts all matching runs (not just the paginated page), so the count is accurate.
• No new dependencies introduced.
• No application code changed — all changes are confined to the CI workflow file; no unit/integration tests are needed for the workflow itself.

[claude-code-ably-assistant]

Review

This PR fixes a real crash in the fix-dependabot workflow (using gh pr view / gh run list before checkout). The overall approach is correct — using event payload values and gh api instead of git-dependent CLI calls. Most of the changes are straightforward improvements, but there's one bug.

---

Bug: Removing set -o pipefail breaks test failure detection

The PR removes set -o pipefail on the grounds that || failed=1 already handles exit codes. This reasoning is incorrect — the two interact, and removing pipefail silently breaks test failure detection.

The pipeline:

pnpm test:unit 2>&1 | tee /tmp/test-output.txt || failed=1

In bash, the exit status of a pipeline is the exit status of the last command (tee) unless pipefail is set. tee exits 0 as long as the file write succeeds — regardless of whether pnpm test:unit failed. So without pipefail, failed stays 0 even when tests fail.

With pipefail (the original), the pipeline fails if pnpm test:unit fails, || failed=1 fires, and the fix step is triggered correctly.

Impact: After this change, if pnpm test:unit or pnpm --filter @ably/react-web-cli test returns a nonzero exit code, failed will remain 0. The workflow will reach the conclusion that no fix is needed and quietly do nothing, even though tests are broken. This defeats the entire purpose of the test step.

Fix: keep set -o pipefail, or capture test exit codes explicitly:

pnpm test:unit 2>&1 | tee /tmp/test-output.txt; [[ ${PIPESTATUS[0]} -ne 0 ]] && failed=1

---

Other observations (no action needed)

• app/dependabot → dependabot[bot]: The old string never matched anything (Dependabot's GitHub login is dependabot[bot]), so the non-Dependabot guard was always silently broken. The new string is correct.
• gh api for run count: Using total_count from the paginated API response is correct — it counts all matching runs, not just the first page, which is actually an improvement over the previous gh run list (which defaulted to the last 20 runs).
• Event payload injection: Using ${{ github.event.pull_request.user.login }} and ${{ github.event.pull_request.head.ref }} as env vars before checkout is the right pattern.
• actions: read permission: Required for the gh api workflows endpoint — good catch.
• Timeout bump: Reasonable given the build+test+Claude workload.

[claude-code-ably-assistant]

One bug found: removing set -o pipefail breaks test failure detection (see inline comment).

fixed... asked for re-review

[sacOO7]

LGTM