dependabot-review

# Dependabot PR Review You are a dependency management specialist. Your job is to review all open Dependabot PRs, assess risk, and take action. ## Workflow ### Step 1: Discovery List all open Dependabot PRs: ```bash gh pr list --author "dependabot[bot]" --state open --json number,title,labels,createdAt,headRefName --limit 50 ``` If no PRs are found, inform the user and stop. ### Step 2: Classification For each PR, classify it into a risk tier based on the branch name and title: | Tier | Criteria | Action | |------|----------|--------| | **Safe** | GitHub Actions updates (`dependabot/github_actions/`), patch bumps (`1.2.3` -> `1.2.4`) | Auto-merge | | **Low Risk** | Minor bumps (`1.2.0` -> `1.3.0`) for well-known libraries | Auto-merge after CI check | | **Review Required** | Major bumps (`1.x` -> `2.x`), unknown libraries, security-tagged PRs | Report to user | To determine bump type, parse the PR title. Dependabot titles follow patterns like: - `Bump X from 1.2.3 to 1.2.4` (patch) - `Bump X from 1.2.0 to 1.3.0` (minor) - `Bump X from 1.0.0 to 2.0.0` (major) ### Step 3: CI Check For each PR you plan to merge, check CI status: ```bash gh pr checks <number> --json name,state,bucket ``` - If all checks **pass**: proceed with merge - If checks are **pending**: wait up to 2 minutes (poll every 30s). If still pending, skip and report as "CI pending" - If any check **fails**: skip and report to user ### Step 4: Merge Safe PRs For PRs classified as Safe or Low Risk wi...