chore: cascade Dependabot PR hygiene (PR template + auto-CHANGELOG workflow)

[cmeans-claude-dev]

Summary

Cascades the dependabot-pr-hygiene playbook from cmeans/mcp-synology (PR #58) and cmeans/pypi-winnow-downloads (PR #25) onto this repo, completing parity with the other two repos in the cascade. Builds on PR #94, which landed .github/dependabot.yml.

What's added

• .github/PULL_REQUEST_TEMPLATE.md — auto-fills new human-authored PR bodies with Summary, Test plan, and CHANGELOG sections. Test plan items match this repo's CI commands exactly (uv run pytest, uv run ruff check src/ tests/, uv run ruff format --check src/ tests/, uv run mypy src/mcp_clipboard/). Dependabot bypasses the template.
• .github/workflows/dependabot-changelog.yml — pull_request_target workflow filtered to dependabot[bot]. Mints a GitHub App installation token (so commits attribute correctly and would re-fire required pull_request workflows under any future ruleset change), runs dependabot/fetch-metadata@v3.1.0 (the v3 line fixed empty prevVersion/newVersion on grouped PRs, per the playbook's Gotcha 3), and prepends an ## [Unreleased] → ### Changed entry to CHANGELOG.md. Includes the post-Date inference uses exception-driven parsing for every cell #26 fix: subsection creation respects Keep-a-Changelog v1.1.0 ordering (Added → Changed → Deprecated → Removed → Fixed → Security) so a freshly-created ### Changed lands in the right position. Tolerant of both ## Unreleased and ## [Unreleased] heading forms; defaults to brackets on creation to match this repo's existing style.
• CLAUDE.md § Conventions — documents the per-PR CHANGELOG rule and the Keep-a-Changelog category set (Added / Changed / Fixed), mirroring mcp-synology's CLAUDE.md.

Operator action required

Before the workflow can run, configure two repo secrets on cmeans/mcp-clipboard:

• BOT_APP_ID — numeric 3223881
• BOT_APP_PRIVATE_KEY — full PEM contents

Without those secrets the App-token mint step fails fast and Dependabot PRs land without an auto-CHANGELOG entry. Dependabot's first scheduled run is Monday 06:00 America/Chicago, so there is time after merge to configure secrets.

Notes vs the other repos in the cascade

• This repo's CHANGELOG uses ## [Unreleased] (with brackets); mcp-synology uses ## Unreleased (no brackets). The workflow's heading matcher accepts either form (same as pypi-winnow-downloads' adapted version) and preserves whichever it found.
• This repo's main ruleset does not currently require status checks, so the App-token mechanism is technically optional here — secrets.GITHUB_TOKEN would be sufficient. App-token is kept anyway for parity, correct bot attribution, and forward-compatibility with any future ruleset tightening.

Test plan

• After merge, configure BOT_APP_ID + BOT_APP_PRIVATE_KEY repo secrets
• Confirm .github/workflows/dependabot-changelog.yml shows up in Actions tab
• On the next Dependabot PR (Monday 06:00 CT or @dependabot recreate an earlier one once it exists), confirm the auto-CHANGELOG commit lands attributed to cmeans-claude-dev[bot] with subject chore(changelog): record dep bumps from #N
• Confirm the CHANGELOG entry lands under ### Changed with correct version arrows (e.g., actions/checkout 4→6)
• Spot-check that opening a fresh human-authored PR auto-fills the template body

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cmeans]

LGTM

[cmeans]

QA Review — Round 1 (cascade workflow)

Head 710cb4f. 4 files / +289/0: PR template, dependabot-changelog workflow, CLAUDE.md Conventions section, CHANGELOG entry.

Playbook conformance

Cross-referenced against the dependabot-pr-hygiene playbook (mcp-synology #58 → pypi-winnow-downloads #25):

Playbook requirement	Verified
pull_request_target trigger	✅ line 33
Job filtered to dependabot[bot]	✅ line 42
App-token auth (NOT secrets.GITHUB_TOKEN)	✅ line 47
Workflow permissions: scoped to contents: read + pull-requests: read (App token does the writes)	✅ lines 36–38
Loop guard — skip if last commit is by the bot	✅ lines 65–68
Idempotency guard — skip if (#N) already in CHANGELOG	✅ lines 70–72
Group preference — dependency-group first, fall back to package-ecosystem	✅ lines 104–106
Bot identity uses numeric user id, not App ID	✅ GH_BOT_USER_ID: '272174644' (line 201, 213); verified live: gh api 'users/cmeans-claude-dev%5Bbot%5D' returns id: 272174644, type: Bot
fetch-metadata v3.1.0 (post-grouped-PR-empty-versions fix)	✅ line 80
Heading matcher tolerates both ## Unreleased and ## [Unreleased]	✅ lines 143, 145
Keep-a-Changelog v1.1.0 ordering on fresh ### Changed creation	✅ lines 183–188 (fix for the issue #26 dormant ordering bug)

SHA pins — independently verified against upstream tags via gh api /repos/.../git/refs/tags/...

Action	Pin in workflow	Upstream v?.?.? resolves to
actions/create-github-app-token@v3.1.1	1b10c78c7865c340bc4f6099eb2f838309f1e8c3	✅ exact match
actions/checkout@v6.0.2	de0fac2e4500dabe0009e67214ff5f5447ce83dd	✅ exact match
dependabot/fetch-metadata@v3.1.0	25dd0e34f4fe68f24cc83900b1fe3fe149efef98	✅ exact match

Algorithm dry-run (against this branch's CHANGELOG.md, simulating PR #95 metadata)

Ran the workflow's inline Python locally with a synthetic DEPS_JSON for the codecov-action 5→6 bump. Took the existing-### Changed branch (idx 42), inserted at line 43:

### Changed
- **Bump github-actions group: codecov/codecov-action 5→6** (#95)
- Add `workflow_dispatch:` trigger to `pr-labels-ci.yml` ...

Newest entry at top of ### Changed, existing entries preserved, no formatting damage. Algorithm produces the expected entry shape end-to-end.

Other verification

Check	Result
python3 -c "import yaml; yaml.safe_load(open('.github/workflows/dependabot-changelog.yml'))"	clean; triggers: ['pull_request_target']; permissions: {'contents': 'read', 'pull-requests': 'read'}
uv run pytest -q	488 passed, 6 deselected, 5 xfailed
uv run ruff check src/ tests/	clean
uv run mypy src/	clean
PR template Test plan commands match ci.yml exactly	✅ uv run pytest, ruff check src/ tests/, ruff format --check src/ tests/, mypy src/mcp_clipboard/ (matches ci.yml:25, :28, :45)
CHANGELOG entry on this PR (under ### Added)	✅ multi-bullet, accurately describes all three artifacts
CLAUDE.md ## Conventions mirrors mcp-synology pattern	✅ per-PR rule + Keep-a-Changelog category set + Dependabot exemption explanation
CI rollup on 710cb4f	all SUCCESS (lint / typecheck / test 3.11–3.13 / on-push / qa-approved / codecov-patch)

Test plan

Items 1–5 are all post-merge — none pre-merge testable.

Verdict

Ready for QA Signoff. Zero open findings. The workflow is a faithful, exact port of the playbook with all five known footguns handled (App-token vs GITHUB_TOKEN, numeric bot user id, fetch-metadata v3.1.0, Keep-a-Changelog ordering on fresh subsections, dual heading-format support). SHA pins and bot identity verified live against upstream and GitHub API.

After merge, the unblock sequence for end-to-end cascade validation:

1. Configure repo secrets BOT_APP_ID and BOT_APP_PRIVATE_KEY on cmeans/mcp-clipboard.
2. You post @dependabot recreate on PR #95 (not me — bot-posted Dependabot slash-commands are silently ignored, per the dependabot-recreate-no-bot-posts rule).
3. Recreated #95 will trigger this workflow on its first synchronize event; expect a follow-up commit by cmeans-claude-dev[bot] titled chore(changelog): record dep bumps from #95, with a ### Changed entry of the form - **Bump github-actions group: codecov/codecov-action 5→6** (#95).
4. After that's observed, mcp-clipboard joins mcp-synology and pypi-winnow-downloads as a fully-validated cascade target.

[cmeans]

Applying Ready for QA Signoff as the final act of round 1: zero findings, full playbook conformance, all 3 SHA pins independently verified against upstream tags, bot user id verified live (272174644), algorithm dry-run produces correct entry shape against this branch's CHANGELOG, all CI green on 710cb4f. Pre-merge testable surface fully exercised. Test plan items 1–5 are all post-merge. Awaiting maintainer QA Approved.