chore(deps): bump ollama/ollama from 0.21.0 to 0.21.2 in the docker-compose group across 1 directory#398
Merged
cmeans-claude-dev[bot] merged 2 commits intoApr 27, 2026
Conversation
github-actions
Bot
added
Awaiting CI
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
13 tasks
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 27, 2026
…400) ## Linked issue Fixes # — operational fix; tracked via the cross-repo `dependabot-pr-hygiene-playbook` awareness entry (logical_key `dependabot-pr-hygiene-playbook`). Surfaced empirically by this repo's two current open Dependabot PRs (#397 and #398) which both ship with doubled-prefix titles and no CHANGELOG entries. ## Summary Ports the cross-repo Dependabot pattern validated yesterday in cmeans/mcp-synology (PRs #58 + #63 ordering fix) and cascaded to cmeans/mcp-clipboard and cmeans/pypi-winnow-downloads. After this lands, Dependabot PRs on this repo will: - Open with single-prefix titles (`chore(deps): bump ...`, not `chore(deps)(deps): ...`) - Auto-prepend a `### Changed` CHANGELOG entry with populated version arrows (`pkg X→Y, ...`) - Pick up ecosystem labels (`python` / `github-actions` / `docker`) so they sort filterably alongside manual dep work - Re-fire required CI checks (`lint`, `typecheck`, `test`, `qa-gate`, `scan`) on the bot's follow-up commit so main-protection doesn't block merge ## Scope ``` .github/dependabot.yml | 24 ++++++++++++++++++------ .github/workflows/dependabot-changelog.yml | new (224 lines) CHANGELOG.md | 6 ++++++ 3 files changed, 248 insertions(+), 6 deletions(-) ``` No source code touched, no tests touched, no schema touched. ## What this changes 1. **New `.github/workflows/dependabot-changelog.yml`** — `pull_request_target` workflow filtered to `dependabot[bot]`. Mints a GitHub App installation token via `actions/create-github-app-token@1b10c78c…` (v3.1.1, SHA-pinned), checks out the PR head with that token, fetches Dependabot metadata via `dependabot/fetch-metadata@25dd0e34…` (v3.1.0, SHA-pinned), composes a one-line `### Changed` entry, prepends to `CHANGELOG.md`, commits as `cmeans-claude-dev[bot]` (numeric user id `272174644` in the noreply email so commits resolve to the bot account), pushes back via the App token so required CI checks re-fire. 2. **`.github/dependabot.yml` commit-message prefix corrected** — `chore(deps)` → `chore` in all four ecosystem blocks. Combined with `include: scope`, bare `chore` produces the canonical `chore(deps): bump foo`. The previous setting produced the doubled `chore(deps)(deps):` you can see on PRs #397 and #398. 3. **Ecosystem labels added to dependabot.yml** — `python` for pip, `github-actions` for actions, `docker` for both Docker and docker-compose. The four labels (`dependencies`, `python`, `github-actions`, `docker`) were created on the repo separately via `gh label create` so Dependabot doesn't silently skip them. ## Playbook gotchas folded in - **`pull_request_target` not `pull_request`** — Dependabot's `GITHUB_TOKEN` is read-only on `pull_request`; the workflow couldn't push back. - **GitHub App token not `secrets.GITHUB_TOKEN`** — pushes by `GITHUB_TOKEN` don't trigger downstream `pull_request` workflows (anti-loop policy), so required checks never run on the bot's commit and main-protection blocks merge. - **`dependabot/fetch-metadata@v3.1.0` not v2.x** — v2.x returns empty `prevVersion`/`newVersion` on grouped updates, producing entries like `Bump foo →, bar →` with empty arrows. - **Numeric `BOT_USER_ID` (`272174644`) not `APP_ID` (`3223881`)** in the commit author noreply email so commits resolve back to `cmeans-claude-dev[bot]`. Wrong id breaks `require_last_push_approval`. - **Keep-a-Changelog v1.1.0 subsection ordering** (Added → Changed → Deprecated → Removed → Fixed → Security) — when creating a fresh `### Changed`, walks forward to insert before the first later-sorting subsection or the next `## ` release heading rather than placing at `unreleased_idx + 1`. Reference fix: cmeans/mcp-synology PR #63. ## Adjustment for this repo's CHANGELOG style This repo uses bracketed Keep-a-Changelog headings (`## [Unreleased]`, `## [0.18.3] - 2026-04-24`); cmeans/mcp-synology uses unbracketed (`## Unreleased`). The detection logic in this port accepts both forms (`is_unreleased(line)` returns `True` for either); the fresh-create path uses the bracketed form to match this repo's existing release headings. The improvement should be folded back into the canonical `dependabot-pr-hygiene-playbook` so future cascades don't have to re-discover it — followup tracked in [#401](#401), not blocking. ## AI-assistance disclosure - [ ] No AI used in producing this PR - [x] AI assisted with code generation (e.g., Copilot, Cursor, Claude Code) - [x] AI assisted with review / suggestions during authoring - [x] AI assisted with the PR body or commit messages ## QA ### Prerequisites - `BOT_APP_ID` + `BOT_APP_PRIVATE_KEY` repo secrets configured (operator confirmed today). - Repo labels `dependencies`, `python`, `github-actions`, `docker` exist (verified via `gh label list -R cmeans/mcp-awareness`). - This is an operational change — verification is GitHub-side, not local. No `pip install` or test deps required. ### Manual tests (via MCP tools and GitHub state) The playbook's verification gate is end-to-end live data, not local unit tests. Walk it after merge. 1. - [ ] **Workflow runs on `@dependabot recreate` of PR #397** — after this PR merges to `main`, post `@dependabot recreate` on #397. Within ~30s GitHub Actions should fire `Dependabot CHANGELOG` on the recreated PR. Expected outcome on the recreated PR: - Title rewritten to `chore(deps): bump the github-actions group with N updates` (single prefix, not doubled) - A new bot-authored commit appears on the branch authored by `cmeans-claude-dev[bot]` adding a CHANGELOG entry under `[Unreleased]` / `### Changed` - The CHANGELOG entry reads roughly `- **Bump github-actions group: actions/foo X→Y, actions/bar X→Y** (#<recreated-PR-number>)` with populated version arrows - Required CI checks (`lint`, `typecheck`, `test (3.10)` … `test (3.14)`, `qa-gate`, `scan`) all run and pass on the bot's HEAD SHA - `dependencies` and `github-actions` labels are present on the PR 2. - [ ] **Workflow runs on `@dependabot recreate` of PR #398** — same flow, on #398. Expected: - Title rewritten to `chore(deps): bump ollama/ollama from 0.21.0 to 0.21.2 in the docker-compose group` - CHANGELOG entry with populated `0.21.0→0.21.2` arrow - `dependencies` and `docker` labels present 3. - [ ] **Loop guard** — the bot's CHANGELOG-adding commit must NOT re-trigger the workflow. After step 1 lands, check `gh run list -R cmeans/mcp-awareness --workflow dependabot-changelog.yml --limit 5`. Expected: exactly one run per Dependabot PR commit; no infinite-loop runs. 4. - [ ] **Idempotency guard** — if step 1's PR is recreated again (e.g., a force-push), the workflow should skip rather than duplicate the CHANGELOG entry. Optional smoke test if you happen to recreate twice. ### Failure modes to watch for - Workflow fails at `Mint GitHub App installation token` step → secrets not configured or App not installed on the repo. - Workflow runs but pushes nothing → loop guard / idempotency guard tripped (check workflow logs for the `skipping` message). - CHANGELOG entry has empty arrows (`Bump foo →,bar →`) → `fetch-metadata` regression; verify the SHA pin still resolves to v3.1.0. - Required CI checks don't run on the bot's commit → App-token mint failed and the workflow fell back to `GITHUB_TOKEN`; check the App-token step output. ## Checklist - [x] `CHANGELOG.md` entry added under `[Unreleased]` in Keep-a-Changelog format (both `### Added` and `### Changed`) - [x] `README.md` and `docs/data-dictionary.md` updated if affected — not affected (no schema or tool count change) - [x] No secrets, credentials, API tokens, signing keys, or `.env` contents included in the diff - [x] `ruff check`, `mypy`, and `pytest` pass locally (1014 passed, 7 skipped — unchanged from main) - [x] CLA — bot commit; CLA bypass workflow handles `cmeans-claude-dev[bot]` per `.github/cla-bot-allowlist` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/docker_compose/docker-compose-5cf1eef592
branch
from
9183c6d to
26c7360
Compare
github-actions
Bot
added
Awaiting CI
Owner
|
@dependabot recreate |
Bumps the docker-compose group with 1 update in the / directory: ollama/ollama. Updates `ollama/ollama` from 0.21.0 to 0.21.2 --- updated-dependencies: - dependency-name: ollama/ollama dependency-version: 0.21.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-compose ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/docker_compose/docker-compose-5cf1eef592
branch
from
fcf8a23 to
b371b3d
Compare
github-actions
Bot
removed
the
Ready for QA
github-actions
Bot
added
Awaiting CI
Owner
|
Adding QA Active — round 1 review (docker-compose ecosystem playbook validation). |
github-actions
Bot
removed
the
Ready for QA
cmeans
reviewed
Apr 27, 2026
Owner
cmeans
left a comment
cmeans
left a comment
There was a problem hiding this comment.
QA Round 1 — Verdict: Ready for QA Signoff
Head de08566. Playbook validation end-to-end clean on the docker-compose ecosystem path. Zero substantive findings.
What the playbook delivered (validation passes)
| # | Behavior | Evidence |
|---|---|---|
| 1 | Single-prefix title | chore(deps): bump ollama/ollama from 0.21.0 to 0.21.2 in the docker-compose group across 1 directory ✓ |
| 2 | Auto-CHANGELOG entry with populated arrow | New line under ### Changed: - **Bump docker-compose group: ollama/ollama 0.21.0→0.21.2** (#398) ✓ |
| 3 | KaC ordering | New entry sits at top of ### Changed block, above the #397 entry — correct insertion via the ### Changed-found path ✓ |
| 4 | Bot commit attribution | de08566 cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com> ✓ |
| 5 | App-token push re-fired CI | All checks SUCCESS on de08566: lint, typecheck, test 3.10–3.14, scan, audit, codecov, CodeQL (actions+python). Dependabot CHANGELOG workflow ran cleanly (first run on this PR, no idempotency skip) ✓ |
| 6 | Upstream tag exists | ollama/ollama:0.21.2 present on Docker Hub (digest sha256:f75b63e3…, last_pulled within minutes) ✓ |
| 7 | No stale-pin drift elsewhere | Repo-wide grep: only docker-compose.qa.yaml line 77 carries the pin (correctly bumped to 0.21.2); the three image: ollama/ollama:latest references in docker-compose.yaml, docker-compose.oauth.yaml, and .github/workflows/ci.yml are intentionally untracked per the dependabot.yml comment ("Dependabot skips :latest tags") ✓ |
| 8 | No comment-above-line drift | The image: directive in docker-compose.yaml has no version-comment-above-line pattern, so the convention drift that hit #397 doesn't apply here ✓ |
| 9 | Local pytest unchanged from main | 1014 passed, 7 skipped, 4 warnings after fresh .hypothesis/ clear ✓ |
Findings
| # | Severity | Finding |
|---|---|---|
| 1 | Observation | Missing docker ecosystem label — same recreate-flow limitation as #397. The post-#400 dependabot.yml lists labels: ["dependencies", "docker"] for docker-compose, but PR #398 has only dependencies because the PR was opened before #400 merged and @dependabot recreate doesn't re-fire Dependabot's PR-creation label step. Maintainer can add docker manually if desired; not blocking — the next fresh weekly bump will pick up labels at PR-creation time. Same disposition as #397 round-1 finding #2. |
No substantive findings; no new playbook-level gaps to track. Both #401 and #402 from prior rounds capture the known cross-cutting items.
Verdict
Ready for QA Signoff — handing off to maintainer for QA Approved + merge.
Playbook validation summary across the cascade
After PR #400's merge, the playbook has now been validated end-to-end on this repo across two ecosystem paths:
- github-actions (PR #397): ✓ via
@dependabot recreate - docker-compose (PR #398): ✓ via
@dependabot recreate
The pip ecosystem path will validate organically on the next weekly Dependabot cycle (Monday 03:00 America/Chicago, grouped python-production / python-development bumps). No further action needed.
🤖 Generated with Claude Code
Owner
QA Audit — round 1
Label transitioning: |
cmeans
added
Ready for QA Signoff
cmeans-claude-dev
Bot
deleted the
dependabot/docker_compose/docker-compose-5cf1eef592
branch
15 tasks
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 27, 2026
…ing polish (#403) ## Linked issue Fixes # — release-stamp PR; no underlying ticket. ## Summary Version stamp only. **No source code changes, no tests, no schema, no migrations.** Every functional change in this release landed as its own QA-reviewed feature PR since v0.18.3 (2026-04-24); this PR collapses `[Unreleased]` to a dated `[0.18.4]` heading and bumps `pyproject.toml`. ## What's in v0.18.4 | Section | Entry | PR | Squash | |---|---|---|---| | Added | Dependabot CHANGELOG automation + ecosystem labels (auto-prepends `### Changed` entry on Dependabot PRs, App-token push so CI re-fires, `fetch-metadata` v3.1.0, KaC ordering, post-#63 inline composer) | [#400](#400) | `5a6e229` | | Changed | `remind()` docstring clarifies the three `deliver_at` modes (future / current-or-past / omitted) | [#399](#399) | `5cbf34e` | | Changed | docker-compose group bump: `ollama/ollama` 0.21.0→0.21.2 | [#398](#398) | `5609c2a` | | Changed | github-actions group bumps: `docker/build-push-action` 6.19.2→7.1.0, `docker/setup-buildx-action` 3.12.0→4.0.0 | [#397](#397) | `6f9bef6` | | Changed | `.github/dependabot.yml` commit-message prefix corrected to bare `chore` (drops the `chore(deps)(deps):` doubled-prefix bug) | [#400](#400) | `5a6e229` | | Fixed | Bound `AuthMiddleware._owner_inflight` and `RateLimiter._hits` to prevent unbounded growth in long-running deployments — operational memory-leak fix | [#396](#396) | `691481f` | | Security | CLA bypass workflow for whitelisted bot authors on workflow-touching PRs | [#387](#387) | `da6f9bf` | Headlines: - **Operational memory-leak fix** (#396) — the load-bearing item for long-running multi-tenant deploys. - **Dependabot infra is now end-to-end validated on this repo** — single-prefix titles, auto-CHANGELOG with populated arrows, KaC ordering, App-token CI re-firing, ecosystem labels. Validated live by recreating #397 (github-actions ecosystem) and #398 (docker-compose ecosystem) post-#400 merge. ## Scope ``` CHANGELOG.md | 5 ++++- pyproject.toml | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) ``` ## AI-assistance disclosure - [ ] No AI used in producing this PR - [x] AI assisted with code generation (release stamp + PR body) - [x] AI assisted with the PR body or commit messages ## QA ### Prerequisites Per project CLAUDE.md release-process: **release PRs are version-stamp only — no manual QA tests required**, since all code was already tested and QA-approved as feature PRs. Lightweight QA below is for mechanical correctness of the stamp itself. ### Manual checks 1. - [x] **Version bump** — `grep '^version =' pyproject.toml` returns `version = "0.18.4"` 2. - [x] **CHANGELOG date heading** — `grep '## \[0.18.4\]' CHANGELOG.md` returns `## [0.18.4] - 2026-04-27` 3. - [x] **Comparison links** — `grep '^\[0.18.4\]\|^\[Unreleased\]' CHANGELOG.md` returns: ``` [Unreleased]: v0.18.4...HEAD [0.18.4]: v0.18.3...v0.18.4 ``` 4. - [x] **No source diff** — `git diff main...HEAD --stat` shows only `CHANGELOG.md` and `pyproject.toml` 5. - [x] **Suite still green** — `python -m pytest tests/ -q` returns `1014 passed, 7 skipped` (unchanged from main; no new tests in this PR) ## Post-merge sequence After this PR is QA-approved and merged, the maintainer: 1. Tag the merge commit: `git tag -a v0.18.4 -m "v0.18.4 — dependabot infra + memory-leak fix + docstring polish"` 2. Push the tag: `git push origin v0.18.4` 3. Tag push triggers `docker-publish.yml` → builds and pushes `ghcr.io/cmeans/mcp-awareness:v0.18.4` + updates `:latest` 4. Holodeck prod (venv/systemd LXCs, not Docker) picks up via `scripts/holodeck/deploy.sh` (operator runs) 5. On first post-deploy `get_briefing` per owner, the briefing fix from v0.18.3 is already live so accumulated `fired` handoffs continue to surface (no behavioral change there) 6. v0.18.4 doesn't introduce new tools or schemas — no Claude Desktop / awareness-prompt updates needed ## Checklist - [x] `CHANGELOG.md` `[Unreleased]` renamed to `[0.18.4] - 2026-04-27`; fresh empty `[Unreleased]` placeholder above - [x] Comparison links updated (added `[0.18.4]`, repointed `[Unreleased]` to `v0.18.4...HEAD`) - [x] `pyproject.toml` version bumped 0.18.3 → 0.18.4 - [x] `README.md` unchanged — no test count, tool count, or current-status references touched (none were stale) - [x] No secrets, credentials, or `.env` content in the diff - [x] `ruff check`, `mypy` clean; `pytest` 1014/7-skipped (unchanged from main) - [x] CLA — bot commit; CLA bypass workflow handles `cmeans-claude-dev[bot]` per `.github/cla-bot-allowlist` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the docker-compose group with 1 update in the / directory: ollama/ollama.
Updates
ollama/ollamafrom 0.21.0 to 0.21.2