pnpm: dependabot strategy 🤖

[JeromeFitz]

🤖 Dependabot is not set up for pnpm yet. With no real plans to add this as a feature (understandably):

• Reference: https://github.com/dependabot/dependabot-core/issues/1736

I know they have to consider a lot more than updating a pnpm-lock.yaml, but we probably do not.

Suggestion:

Can we handle this update as a CI automation to Dependabot's PRs to:

• pnpm install without the frozen lockfile setting
• Add the updated pnpm-lock.yaml file
• Commit
• Push to Dependabot Branch

Bonus:

🤔 Can dependabot PRs be set to Draft Mode first, then this Action final step after pushing would be to Ready for Review the PR / Branch it updates

• Not really, since Draft mode is not universal to GitHub (and specifically within Dependabot) it would be better to focus on what to do when Dependabot instead creates its PRs
  • github.actor is dependabot[bot]
  • Has subject that startsWith:
    • ⬆️ (deps) Bump
    • ⬆️ (deps-dev) Bump
    • :arrow-up: (deps) Bump
    • :arrow-up: (deps-dev) Bump
  • Adds label of 📦 Dependencies
    • 📝 Note: after the PR is created so may be too late for CI check on pull_request

Order of Operations may be:

• pull_request first check against github.actor && github.event.head_commit.message, if meets above requirements
• Attached the following label to inform CI it should run the new pnpm action that will:
  • 🏷️ : 📦 pnpm
    • Verify is this GitHub'ified to :package: pnpm
  • Check against PR Changes that has that label and then
  • Do its thing (see above above), + remove said label

That would then set the PR back in a state to be checked against the existing GitHub Action

[JeromeFitz]

Or... migrate to Renovate. 😆

[JeromeFitz]

Straight up, this was not worth it.

I think I have to move to Renovate at this rate because this hack is not good, haha.

Instead of the aforementioned it does a few checks:

• IS_DEPENDABOT to determine the github actor
• IS_PNPMP_LABEL if instead of the above, we need to override w/ label

This creates (ejects) install from init, and adds a pnpm step if either of the above are tru (AND THOSE ARE STRINGS!), and then you better believe if you are not pinned all the way through your repo, it is going to do more to that lock file haha

I am looking at you storybook

So yea

Unless you PIN everything, this is a colossal waste of time and adds confusion.

Oh well.

[JeromeFitz]

As an update we moved to Renovate. It was super simple and has a few added bonuses that I really like.

PR is here: #710