From 206413b79458c7a19cdf9ec07da57d263df05dfd Mon Sep 17 00:00:00 2001
From: Alex Ivantsov <alex@ivantsov.tech>
Date: Mon, 4 May 2026 15:25:09 -0400
Subject: [PATCH] =?UTF-8?q?fix(ci):=20dependabot=20auto-merge=20=E2=80=94?=
 =?UTF-8?q?=20block=20grouped=20major=20bumps?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Old check evaluated steps.meta.outputs.update-type which only reflects
the first dependency in a grouped PR. A grouped PR with one minor dep
+ several major-bump deps would auto-merge unattended.

Incident 2026-05-04: Operational-Dashboard PR #7 (grouped runtime-deps)
included astro 5→6, tailwind 3→4, TS 5→6. Auto-merged. CF Workers Build
rejected the resulting peer-dep tree, dashboard.umbrellaitgroup.com
went down.

New check additionally requires
  steps.meta.outputs.dependency-major-versions-changed == ''
which is non-empty when ANY dep in the group has a major bump.
Major-bump PRs get labeled 'needs-review,major-version' so they
don't sit silently.

Bumps fetch-metadata to v3 if not already.
---
 .github/workflows/dependabot-auto-merge.yml | 26 +++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
index ea21c22..efab016 100644
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -17,9 +17,31 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Enable auto-merge for patch + minor bumps
-        if: steps.meta.outputs.update-type == 'version-update:semver-patch' || steps.meta.outputs.update-type == 'version-update:semver-minor'
+      # Block auto-merge when ANY dep in the PR is a major bump.
+      # `dependency-major-versions-changed` is non-empty when ANY dep in
+      # a grouped PR has a major bump, even if `update-type` (which only
+      # reflects the first dep in the group) says "minor".
+      #
+      # Incident reference (2026-05-04): grouped runtime-deps PR in
+      # Operational-Dashboard included astro 5→6, tailwind 3→4, TS 5→6.
+      # Old check evaluated `semver-minor` true on the first entry and
+      # merged the whole batch. CF Workers Build then rejected the tree.
+      - name: Enable auto-merge for non-major bumps only
+        if: |
+          (steps.meta.outputs.update-type == 'version-update:semver-patch'
+           || steps.meta.outputs.update-type == 'version-update:semver-minor')
+          && steps.meta.outputs.dependency-major-versions-changed == ''
         run: gh pr merge --squash --auto "$PR_URL"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Major bumps need hand review. Label so they don't sit silently.
+      # `|| true` because the label may not exist in the repo yet — that
+      # shouldn't fail the workflow, the auto-merge skip already protects.
+      - name: Label major-version PRs for hand review
+        if: steps.meta.outputs.dependency-major-versions-changed != ''
+        run: gh pr edit "$PR_URL" --add-label "needs-review,major-version" || true
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}