Add dependabot config for pnpm workspace, cargo, and actions#8660
Merged
Conversation
Point the npm ecosystem at /ui (the pnpm workspace root) so Dependabot updates ui/pnpm-lock.yaml alongside child package.json changes instead of leaving the repo in a broken state. Signed-off-by: jh-block <jhugo@block.xyz>
This was referenced Apr 20, 2026
lifeizhou-ap
added a commit
that referenced
this pull request
Apr 21, 2026
* main: feat(hooks): add Husky git hooks for ui/goose2 (#8577) fix: links in chat could not be opened (#8544) fix: run setup before dev and dev-debug in goose2 justfile (#8718) Manage skills as sources over ACP (#8675) handle full node paths in goose2 kill recipe (#8709) overhaul provider inventory and agent/model selection (#8652) Remove unused import (#8676) delete the goose2 migration plan prompt (#8678) Add health score badge to README (#8677) feat(goose2): voice dictation via direct-ACP pattern (#8609) consistently use actions-rust-lang/setup-rust-toolchain (#8671) fix(developer): run shell tool under bash/sh regardless of login shell (#8659) refactor(providers): extract shared OAuth device-flow helper (#8619) Add a goose2 release workflow (#8629) chore(deps): bump ncipollo/release-action from 1.20.0 to 1.21.0 (#8664) docs: add blog post about Mesh LLM provider option (#8655) fix: append /chat/completions for prefixed v1 base URLs (#8521) Reset ChatGPT Codex auth during OAuth setup (#8569) chore(deps): bump EmbarkStudios/cargo-deny-action from 2.0.15 to 2.0.17 (#8665) Add dependabot config for pnpm workspace, cargo, and actions (#8660)
spikewang
pushed a commit
to spikewang/goose
that referenced
this pull request
Apr 22, 2026
…ose#8660) Signed-off-by: jh-block <jhugo@block.xyz>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Without a
.github/dependabot.yml, Dependabot auto-discovery treatsui/desktop/package.jsonas a standalone npm project. Since the pnpm lockfile lives one level up atui/pnpm-lock.yaml, Dependabot updates only the childpackage.jsonand leaves the lockfile stale, producing broken PRs (e.g. #8444).This config points the npm ecosystem at
/ui(the pnpm workspace root) so Dependabot updates the correct childpackage.jsonand regeneratesui/pnpm-lock.yamlin the same PR.Also adds cargo updates at the repo root and github-actions updates, with minor/patch bumps grouped to cut PR noise.
Existing broken PRs (like #8444) won't self-heal — close them, or comment
@dependabot recreateonce this lands.