ci: add CODEOWNERS, PR title validation, and dependabot auto-merge

[arthrod]

Summary

• CODEOWNERS: auto-requests review from @arthrod (all files) and @pcmoraesmenezes (packages/, apps/) on every PR
• pr-title.yml: blocks merge if the PR title doesn't follow Conventional Commits (feat|fix|docs|chore|...)
• auto-merge.yml: squash-merges dependabot PRs automatically once CI passes (addresses the open dependabot PR chore(deps): bump the npm_and_yarn group across 3 directories with 5 updates #446)

Test plan

• Open a PR with a non-conventional title → PR Title check fails
• Open a PR with a valid title (e.g. fix(link): handle empty href) → check passes
• Open a dependabot PR → auto-merge fires after CI green
• Verify @arthrod is auto-requested as reviewer on new PRs

https://claude.ai/code/session_01La31wbSAFscvEpH7TBEQVU

---

Generated by Claude Code

Summary by Sourcery

Enforce PR title conventions and automate dependency PR handling while updating key frontend dependencies.

New Features:

• Introduce a PR title validation workflow that enforces Conventional Commits formatting on pull requests.
• Add an auto-merge workflow to automatically squash-merge successful Dependabot pull requests.
• Define repository code owners to automatically request reviews on relevant pull requests.

Enhancements:

• Bump frontend and editor-related dependencies, including Next.js, lodash, Excalidraw, PostCSS, and mermaid across apps and packages to newer patch versions.

CI:

• Add a GitHub Actions workflow to validate PR titles against a Conventional Commits regex on PR events.
• Add a GitHub Actions workflow to enable automatic squash-merging of Dependabot pull requests after checks pass.

Chores:

• Introduce a CODEOWNERS file to configure default reviewers for changes across the repository.
• Refresh the pnpm lockfile to align with updated dependency versions.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a740a68a-e226-4eb3-b9ef-431177b321d5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/cool-tesla-GvZzZ

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Reviewer's Guide

Adds GitHub automation for PR title validation, CODEOWNERS-based reviewer assignment, and automatic merging of Dependabot PRs, while also updating several dependencies (notably lodash, Next, Excalidraw, mermaid, postcss) and refreshing the pnpm lockfile to match.

Sequence diagram for PR title validation workflow

sequenceDiagram
    actor Developer
    participant GitHub
    participant PR_Title_workflow as PR_Title_workflow
    participant validate_title as validate-title_job

    Developer->>GitHub: open/edit/synchronize/reopen pull_request
    GitHub->>PR_Title_workflow: trigger on pull_request event
    PR_Title_workflow->>validate_title: start job (if title != [Release] Version packages)
    validate_title->>validate_title: run grep -E pattern against $TITLE
    alt title matches Conventional Commits pattern
        validate_title-->>GitHub: job success (Title OK)
    else title does not match pattern
        validate_title-->>GitHub: job failure (block merge)
    end

Loading

Sequence diagram for Dependabot auto-merge workflow

sequenceDiagram
    actor Dependabot as Dependabot_bot
    participant GitHub
    participant Auto_Merge_workflow as Auto_Merge_workflow
    participant auto_merge as auto-merge-dependabot_job
    participant gh_cli as gh_CLI

    Dependabot->>GitHub: open/reopen/synchronize pull_request
    GitHub->>Auto_Merge_workflow: trigger on pull_request event
    Auto_Merge_workflow->>auto_merge: start job (if github.actor == dependabot[bot])
    auto_merge->>gh_cli: run gh pr merge --auto --squash PR_URL
    gh_cli-->>GitHub: enable auto-merge on PR
    GitHub-->>Dependabot: PR merged automatically when all checks pass

Loading

File-Level Changes

Change	Details	Files
Enforce Conventional Commit formatting on pull request titles via a GitHub Actions workflow.	Introduce pr-title GitHub Actions workflow triggered on PR events (opened, edited, synchronize, reopened). Add concurrency control to avoid overlapping PR title checks for the same ref. Validate PR titles against a regex allowing standard Conventional Commit types and an optional scope and breaking marker. Special-case release PRs titled '[Release] Version packages' to bypass validation. Provide explicit failure messaging and examples when titles do not match the expected pattern.	.github/workflows/pr-title.yml
Automatically enable squash auto-merge for Dependabot pull requests once CI passes.	Add auto-merge GitHub Actions workflow triggered on pull_request events. Restrict job execution to PRs opened by dependabot[bot]. Grant contents and pull-requests write permissions for the workflow run. Use GitHub CLI (gh) with either API_TOKEN_GITHUB or fallback GITHUB_TOKEN to enable auto-merge with squash strategy on the current PR.	.github/workflows/auto-merge.yml
Define repository-wide code ownership to auto-request reviews from specific maintainers.	Introduce CODEOWNERS file at repository root under .github. Configure @arthrod as code owner for all paths. Configure @pcmoraesmenezes as additional code owner for packages/ and apps/ paths.	.github/CODEOWNERS
Update key dependencies across the app and packages to newer patch versions and refresh lockfile state.	Bump @excalidraw/excalidraw from 0.18.0 to 0.18.1 in both app and packages. Upgrade lodash dependencies to 4.18.1 across multiple packages for consistency and security. Update Next.js from 16.2.6 to 16.2.7 in the www app. Upgrade mermaid to 11.15.0 in code-drawing package. Update postcss to 8.5.10 in the www app. Regenerate or adjust pnpm-lock.yaml to align with the new dependency versions.	apps/www/package.json packages/code-drawing/package.json packages/ai/package.json packages/comment/package.json packages/core/package.json packages/diff/package.json packages/dnd/package.json packages/docx-io/package.json packages/excalidraw/package.json packages/list-classic/package.json packages/list/package.json packages/markdown/package.json packages/slate/package.json packages/suggestion/package.json packages/table/package.json packages/toggle/package.json packages/utils/package.json pnpm-lock.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Code Review

This pull request adds a .github/CODEOWNERS file to define repository ownership and updates several dependencies across multiple package.json files and the lockfile. A critical supply chain security risk was identified where dependencies such as lodash and next are upgraded to non-existent versions (e.g., 4.18.1 and 16.2.7), which will break the build. It is recommended to revert these dependency changes.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Undocumented and Non-existent Dependency Upgrades

The dependencies lodash and next are being upgraded to 4.18.1 and 16.2.7 respectively. However, these versions do not exist on the public npm registry (the latest stable version of lodash is 4.17.21, and Next.js has not released a version 16 yet).

Furthermore, these dependency upgrades are completely undocumented and unrelated to the PR's stated purpose of adding CI configurations (CODEOWNERS, PR title validation, and auto-merge). This pattern of upgrading to non-existent versions is also present across all other package.json files in this PR (e.g., mermaid to 11.15.0 in packages/code-drawing/package.json).

This poses a severe supply chain security risk and will break the installation/build process. Please revert these dependency changes and keep this PR focused solely on the CI configuration.

Suggested change

	"lodash": "4.18.1",
	"lowlight": "3.3.0",
	"lru-cache": "^11.2.4",
	"lucide-react": "0.514.0",
	"nanoid": "^5.1.6",
	"next": "16.2.6",
	"next": "16.2.7",
	"lodash": "4.17.21",
	"lowlight": "3.3.0",
	"lru-cache": "^11.2.4",
	"lucide-react": "0.514.0",
	"nanoid": "^5.1.6",
	"next": "16.2.6",