ci(dependabot): add lockfile fixer workflow (#59)

oleg-koval · web-flow · commit 287745bbd3ad · 2026-04-04T17:24:09.000+02:00
diff --git a/.github/workflows/dependabot-lockfile-fixer.yml b/.github/workflows/dependabot-lockfile-fixer.yml
@@ -0,0 +1,45 @@
+name: Dependabot Lockfile Fixer
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: dependabot-lockfile-fixer-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  fix-lockfiles:
+    if: >
+      github.actor == 'dependabot[bot]' &&
+      github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - name: Fix lockfiles
+        uses: oleg-koval/dependabot-lockfile-fixer@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          package_manager: npm
+          working_directory: .
diff --git a/readme.md b/readme.md
@@ -116,9 +116,8 @@ Use repo-local plugin composition instead when your team wants different plugins
 ## Repository Maintenance Notes
 
 - Consumer-facing examples now use `main`.
-- Repository automation currently supports both `master` and `main` so maintenance is not blocked before the branch rename.
-- Repository automation also supports `beta` for prerelease validation and publishing.
-- Renaming this repository's default branch to `main` is still recommended to align hosted defaults, badges, and examples.
+- Repository automation publishes stable releases from `main` and prereleases from `beta`.
+- Dependabot PRs can auto-refresh `package-lock.json` through the dedicated lockfile-fixer workflow.
 - The old README wording that inverted `fix` and `feat` was documentation drift. The actual release behavior has been corrected and is now covered by tests.
 
 ## Contributing
