chore(ci): Add automated ratchet update workflow and disable dependabot actions updates

[yamadashy]

Summary

This PR introduces automated GitHub Actions SHA updates using ratchet instead of dependabot:

• Added: ratchet-update.yml workflow for weekly automated SHA updates
• Modified: Disabled dependabot github-actions updates in dependabot.yml
• Improved: Automated PR creation when updates are available

Changes

New Workflow Features

• Runs every Monday at midnight UTC via cron schedule
• Manual trigger support via workflow_dispatch
• Automatically creates PRs when SHA updates are available
• Proper permissions and security through SHA pinning
• Uses ratchet v0.11.3 for reliable SHA management

Dependabot Configuration

• Removed github-actions ecosystem from dependabot.yml
• Prevents duplicate update mechanisms
• Maintains security while reducing noise

This approach provides more controlled and predictable GitHub Actions updates compared to dependabot's frequent PRs.

Checklist

• Run npm run test
• Run npm run lint

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Dependabot configuration was changed to use an empty updates list. A new GitHub Actions workflow, “Ratchet update,” was added to periodically pin action SHAs and open a PR with changes detected in workflow files.

Changes

Cohort / File(s)	Summary
Dependabot config /.github/dependabot.yml	Replaced a configured GitHub Actions update rule with updates: []; retained version: 2.
Ratchet SHA pinning workflow .github/workflows/ratchet-update.yml	Added workflow scheduled weekly and via manual dispatch; checks out repo, sets up Go, installs ratchet v0.11.3, pins SHAs in .github/workflows/*.yml, diffs for changes, and conditionally opens a PR via peter-evans/create-pull-request.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor User as User
    participant GH as GitHub Actions
    participant Job as Job: update
    participant Repo as Repository
    participant Ratchet as ratchet

    Note over GH: Triggers: schedule (Mon 00:00 UTC) or workflow_dispatch
    GH->>Job: Start workflow (permissions: contents/prs write)
    Job->>Repo: actions/checkout@v4
    Job->>Job: Setup Go (stable)
    Job->>Job: Install ratchet v0.11.3
    Job->>Ratchet: ratchet update .github/workflows/*.yml
    Ratchet-->>Job: Updated workflow files (if any)
    Job->>Repo: git diff
    alt Changes detected
        Job->>Repo: create-pull-request@v6<br/>branch: chore/update-actions-shas
        Repo-->>User: PR "chore(ci): Update pinned GitHub Actions SHAs"
    else No changes
        Job->>GH: Exit without PR
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Add dependabot, remove 16.x from build step #228 — Also modifies .github/dependabot.yml updates list, making it closely related in config intent.
• chore: add ratchet tooling for automated SHA pinning enforcement #652 — Introduces ratchet-based tooling/workflows; directly related to adding the ratchet update workflow.
• chore(ci): Update GitHub Actions dependencies #668 — Updates pinned SHAs in workflows; related to the new workflow that automates those updates.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/ratchet-update-ci

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[gemini-code-assist]

Summary of Changes

Hello @yamadashy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request transitions the repository's GitHub Actions dependency update mechanism from Dependabot to a new, more controlled automated workflow utilizing Ratchet. The primary goal is to gain more predictable updates for GitHub Actions SHAs, reducing the frequency of pull requests generated by Dependabot while maintaining security and ensuring proper SHA pinning. This involves adding a new workflow for Ratchet-based updates and disabling the corresponding Dependabot configuration.

Highlights

• New Automated Workflow for GitHub Actions SHA Updates: A new workflow file, .github/workflows/ratchet-update.yml, has been introduced. This workflow is designed to automate weekly GitHub Actions SHA updates using the Ratchet tool, supporting manual triggering and automatic pull request creation when updates are available. This ensures proper permissions and security through SHA pinning.
• Dependabot Configuration Update: The .github/dependabot.yml file has been modified to remove the github-actions package ecosystem entry. This change disables Dependabot's ability to create pull requests for GitHub Actions updates, preventing redundant update mechanisms and reducing PR noise.
• Improved Control and Predictability of Updates: The overall approach shifts from Dependabot's frequent updates to a Ratchet-based system, providing more controlled and predictable updates for GitHub Actions. This change aims to maintain security while offering a more streamlined update process.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR replaces dependabot's GitHub Actions updates with a custom ratchet-based automation workflow to provide more controlled and predictable SHA updates.

• Introduces automated weekly ratchet workflow for GitHub Actions SHA updates
• Disables dependabot's github-actions ecosystem to prevent duplicate automation
• Implements proper PR creation workflow with manual trigger capability

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/ratchet-update.yml	New workflow implementing weekly automated SHA updates using ratchet v0.11.3
.github/dependabot.yml	Removes github-actions ecosystem configuration, leaving empty updates array

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	c42aa4f
Status:	✅  Deploy successful!
Preview URL:	https://1b3589ce.repomix.pages.dev
Branch Preview URL:	https://chore-ratchet-update-ci.repomix.pages.dev

View logs

[gemini-code-assist]

Code Review

This pull request correctly disables Dependabot for GitHub Actions updates by modifying dependabot.yml, in preparation for using a new ratchet workflow. The change is simple and effective. I have one suggestion regarding the dependabot.yml file to improve repository maintainability by removing unnecessary configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.59%. Comparing base (dbf406c) to head (c42aa4f).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #795   +/-   ##
=======================================
  Coverage   88.59%   88.59%           
=======================================
  Files         110      110           
  Lines        6192     6192           
  Branches     1282     1282           
=======================================
  Hits         5486     5486           
  Misses        706      706           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

.github/workflows/ratchet-update.yml (6)

14-16: Add ratchet annotation for actions/checkout so it can be auto-updated.

Without a ratchet:… mapping comment, ratchet can’t resolve which ref to track. You used the correct annotation for setup-go; mirror that here.

Apply:

-      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # ratchet:actions/checkout@v4

---

18-21: Optional: Pin Go to a minor release for reproducibility.

go-version: stable is fine, but pinning to a minor version reduces drift in ratchet’s build environment.

-          go-version: stable
+          go-version: "1.22.x"

---

27-30: Include .yaml files in ratchet update target.

Some workflows may use .yaml. Broadening the glob reduces the chance of missed updates.

-          ratchet update .github/workflows/*.yml
+          ratchet update .github/workflows/*.{yml,yaml}

---

40-43: Add ratchet annotation for create-pull-request action.

Same rationale as checkout — without the ratchet tag mapping, ratchet won’t know which ref to track.

-        uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # v6
+        uses: peter-evans/create-pull-request@70a41aba780001da0a30141984ae2a0c95d8704e # ratchet:peter-evans/create-pull-request@v6

---

54-56: Pre-checked checklist is misleading since the workflow doesn’t run tests/lint.

Either remove the checklist or leave boxes unchecked to reflect reality.

-            - [x] Run `npm run test`
-            - [x] Run `npm run lint`
+            - [ ] Run `npm run test`
+            - [ ] Run `npm run lint`

---

58-58: Add a trailing newline.

YAMLlint flagged “no new line at end of file.” Add a newline for POSIX compatibility.

-          delete-branch: true
+          delete-branch: true
+

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between eb662c1 and 1f99b0b.

📒 Files selected for processing (2)

• .github/dependabot.yml (1 hunks)
• .github/workflows/ratchet-update.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/ratchet-update.yml

[error] 58-58: no new line character at the end of file

(new-line-at-end-of-file)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Test (macos-latest, 24.x)
• GitHub Check: Test (macos-latest, 21.x)
• GitHub Check: Test (ubuntu-latest, 23.x)
• GitHub Check: Test (windows-latest, 23.x)
• GitHub Check: Test (windows-latest, 21.x)
• GitHub Check: Test (windows-latest, 22.x)
• GitHub Check: Test (windows-latest, 20.x)
• GitHub Check: Build and run (windows-latest, 20.x)

🔇 Additional comments (2)

.github/workflows/ratchet-update.yml (2)

10-12: Permissions look good.

contents: write and pull-requests: write are the correct minimal permissions for committing and opening PRs.

---

31-38: Change detection logic is sound.

git diff --quiet is a clean way to signal whether there are staged/unstaged changes. Using GITHUB_OUTPUT is correct.