Dependabot: comment on patch/minor updates

Replace automatic merging of patch/minor Dependabot PRs with an automated comment that guides manual review and merge. Update docs (.github/DEPENDABOT.md) to reflect the new "comment for review" behavior and clarify CI and React/react-dom handling. Change dependabot.yml to rename the production group and add a dedicated react group to keep react and react-dom in sync (preinstall hook compatibility). Update the workflow to post a comment for patch/minor updates instead of running gh pr merge, and restrict the label step to run only for expected semver update types.

Author: mdlew

.github/DEPENDABOT.md

@@ -24,8 +24,8 @@ This is the main configuration file that controls Dependabot's behavior:
 
 This workflow automates the merge process for safe dependency updates:
 
-- **Patch updates** (`1.0.0` → `1.0.1`): Auto-merged
-- **Minor updates** (`1.0.0` → `1.1.0`): Auto-merged
+- **Patch updates** (`1.0.0` → `1.0.1`): Commented for manual merge
+- **Minor updates** (`1.0.0` → `1.1.0`): Commented for manual merge
 - **Major updates** (`1.0.0` → `2.0.0`): Require manual review
 
 ## Key Features
@@ -69,9 +69,9 @@ This makes it easier to:
 
 The auto-merge workflow has three behaviors:
 
-**Auto-merge (patch & minor):**
+**Comment for review (patch & minor):**
 ```
-✅ Automatically merged after CI passes
+💬 Commented with guidance for manual review and merge
 ```
 
 **Manual review (major):**
@@ -106,8 +106,8 @@ Set to `auto` - Dependabot will automatically rebase PRs when the base branch ch
    - These are labeled with `security` by GitHub
    - Prioritize reviewing and merging security updates
 
-3. **Keep CI Green**
-   - Auto-merge only works if CI passes
+3. **Keep CI Green (Optional)**
+   - When CI checks are configured and marked as required, auto-merge only proceeds after they pass
    - Ensure your test suite covers critical paths
    - Fix failing tests promptly
 
@@ -129,7 +129,7 @@ Set to `auto` - Dependabot will automatically rebase PRs when the base branch ch
 3. **React Version Synchronization**
    - This project enforces matching `react` and `react-dom` versions
    - The preinstall hook will fail if versions don't match
-   - Dependabot is configured to handle this automatically
+   - Dependabot's `react` group configuration (see `.github/dependabot.yml`) ensures these packages are always updated together
 
 ## Troubleshooting
 

.github/dependabot.yml

@@ -24,13 +24,20 @@ updates:
           - "minor"
           - "patch"
 
-      # Group production dependencies by update type
-      production-dependencies-minor:
+      # Group production dependencies (patch & minor updates)
+      production-dependencies:
         dependency-type: "production"
         update-types:
           - "minor"
           - "patch"
 
+      # Ensure react and react-dom are always updated together
+      # This prevents version mismatch issues with the preinstall hook
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+      
       # Keep major updates separate for careful review
       # (Major updates are not grouped and will create individual PRs)
 

.github/workflows/dependabot-auto-merge.yml

@@ -22,13 +22,19 @@ jobs:
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Enable auto-merge for patch and minor updates
-        # Auto-merge patch and minor version updates (safer updates)
-        # Major updates require manual review due to potential breaking changes
+      - name: Comment on patch and minor updates
+        # For patch and minor version updates, add a comment to guide manual review and merge
+        # This avoids unsafe auto-merging when no CI checks are configured on pull requests
         if: |
           steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
           steps.metadata.outputs.update-type == 'version-update:semver-minor'
-        run: gh pr merge --auto --squash "$PR_URL"
+        run: |
+          gh pr comment "$PR_URL" --body "✅ **Dependabot patch/minor update detected**
+
+          This PR updates dependencies with a patch or minor version change.
+
+          Please ensure that all relevant CI checks (if configured) have passed and that the
+          application still builds and runs as expected before merging this PR manually."
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -49,6 +55,11 @@ jobs:
 
       - name: Label Dependabot PRs
         # Add helpful labels based on update type
+        # Only runs when UPDATE_TYPE matches one of the expected semver types
+        if: |
+          steps.metadata.outputs.update-type == 'version-update:semver-major' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-patch'
         run: |
           if [[ "$UPDATE_TYPE" == "version-update:semver-major" ]]; then
             gh pr edit "$PR_URL" --add-label "major-update"