Skip to content

chore: add ci check requiring deps: commits for prod dependency changes#9748

Open
reggi wants to merge 1 commit into
latestfrom
reggi/ci-deps-commits-check
Open

chore: add ci check requiring deps: commits for prod dependency changes#9748
reggi wants to merge 1 commit into
latestfrom
reggi/ci-deps-commits-check

Conversation

@reggi

@reggi reggi commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

What / Why

Adds a new Pull Request CI check that rejects a PR when a production dependency is changed without a dedicated deps: commit naming that dependency. This keeps dependency updates isolated in the git history and changelog, and prevents prod dep bumps from being buried inside unrelated fix:/feat:/chore: commits.

Motivated by #9740, where a deps(arborist): validate-npm-package-name ^8.0.0 bump was merged inside a single fix: commit, obscuring why arborist needed a version bump.

How it works

scripts/check-deps-commits.js (git + Node builtins only — no dependency install required):

  • Diffs first-party manifests (root package.json, workspaces/*, mock-registry, …) across base...head, excluding node_modules/** bundle churn.
  • Collects every changed dependencies entry (ignores devDependencies).
  • Requires each changed dep to be named in a deps: / deps(scope): / deps!: commit in the branch.
  • On failure, prints the missing deps and a suggested scoped, versioned commit derived from the diff, e.g. deps(arborist): validate-npm-package-name@^8.0.0.

.github/workflows/deps-commits.yml runs it on PRs and skips bot release/v* branches (which bulk-bump interdependencies in one chore: release). Intentionally not template-oss managed.

Example (what #9740 would have shown)

The following production dependency changes are missing a matching deps: commit:
  - validate-npm-package-name (changed in: workspaces/arborist/package.json)

Add a separate commit for each, e.g.:
  deps(arborist): validate-npm-package-name@^8.0.0

Verification

Adds a Pull Request CI check that fails when a production dependency is
changed in a first-party manifest (root, workspaces/*, etc.) without a
dedicated deps: commit naming that dependency, keeping dependency updates
isolated in the git history and changelog.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 0adf6d99-eb62-42c3-8bd3-b0d914c465a5
@reggi reggi requested review from a team as code owners July 10, 2026 18:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants