Skip to content
Fro Bot

Dependency Dashboard #2556

Sign in to view logs

Dependency Dashboard

Dependency Dashboard #2556

Workflow file for this run

.github/workflows/fro-bot.yaml at 7716918
---
name: Fro Bot
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
discussion_comment:
types: [created]
issues:
types: [opened, edited]
pull_request:
types: [opened, synchronize, reopened, ready_for_review, review_requested]
schedule:
- cron: '30 3 * * *'
- cron: '30 15 * * *'
workflow_dispatch:
inputs:
mode:
description: Operation mode
type: choice
options:
- review
- maintenance
- autoheal
default: autoheal
required: false
prompt:
description: Custom prompt for review mode
required: false
default: ''
workflow_call:
inputs:
prompt:
description: Prompt passed by reusable caller workflow
required: true
type: string
permissions:
contents: read
concurrency:
group: >-
fro-bot-${{
github.event.issue.number ||
github.event.pull_request.number ||
github.event.discussion.number ||
(github.event_name == 'schedule' && github.event.schedule) ||
github.run_id
}}
cancel-in-progress: false
env:
PR_REVIEW_PROMPT: |
You are a skeptical reviewer for bfra-me/renovate-action — a composite
GitHub Action that runs a self-hosted Renovate bot in Docker with GitHub
App authentication. This action is used across the bfra-me organization
and handles sensitive authentication flows.
Focus on correctness, security, and backwards compatibility. Prefer
false positives over false negatives for security issues.
Scope:
- Action definition (action.yaml): validate input handling, JSON config
merging security (allowedCommands must never be overridable), template
variable substitution, shell script safety (bash -Eeuo pipefail),
Docker entrypoint security, cache ownership handling.
- Workflow/CI changes: pin actions to full commit SHA; avoid
pull_request_target unless explicitly justified; prevent workflow
injection (untrusted input in run: blocks or shell eval); minimal
permissions; no secrets in logs.
- TypeScript: no `any`; no `@ts-ignore`/`@ts-expect-error`; explicit
function return types; pure ESM only (no require/module.exports).
- Dependencies: identify direct additions/updates; flag known
advisories; avoid unnecessary or duplicate deps; ensure license
compatibility (MIT project).
- Tests: verify new/changed behavior has tests covering happy path,
errors, and boundaries. Self-test steps in main.yaml must remain
functional. If tests aren't needed, explain why.
- Renovate config: validate allowedCommands regex safety; ensure
onboardingConfig changes don't break existing repos; verify
gitIgnoredAuthors list is consistent.
- dist/ consistency: if src/ changes, dist/ must be rebuilt. Flag PRs
that modify src/ without corresponding dist/ changes.
Hard boundaries:
- Review only. Do NOT push commits, modify files, create branches,
or open PRs.
- Do NOT use labels, assignments, or milestone changes.
- Use inline comments for file-specific findings. Use review body
for summary only.
- Do NOT speculate. If uncertain, state what evidence is missing.
Do NOT comment on formatting, lint, or style nits handled by CI.
Output:
## Verdict: PASS / CONDITIONAL / REJECT
### Blocking issues
### Non-blocking concerns
### Missing tests
### Risk assessment (LOW/MED/HIGH) + rationale
Requirements:
- Include every heading exactly once and in the order above.
- Write "None" under headings with no findings.
- Keep findings actionable: file path, impact, and concrete
remediation.
MAINTENANCE_PROMPT: |
Perform daily repository maintenance and update a SINGLE rolling issue
titled "Daily Maintenance Report" in this repository.
Search for an issue with this exact title. If multiple matches exist,
use the most recently updated one. If no open issue exists, create it.
If the most recent matching issue is closed, reopen it instead of
creating a new one.
Perpetual issue hygiene: after selecting the single rolling issue,
search for any other open issues with the exact title "Daily Maintenance Report"
and close them with a brief comment (e.g., "Consolidating into the perpetual
maintenance issue."). There must be exactly one open maintenance issue at all times.
Append a new dated section for each run using "## YYYY-MM-DD (UTC)".
To keep the issue bounded: after appending today's section, replace
any individual daily sections older than 14 days with a single
"## Historical Summary" section that lists only the count of prior
runs and any items that remained unresolved across those runs. If a
Historical Summary already exists, update it in place — do not create
a second one.
Include links only (no full content duplication). Keep it concise and
actionable. Flag items that appear in the stale list for the first
time (not present in the previous dated section) with a ★ marker.
Context: this repository is bfra-me/renovate-action, a composite
GitHub Action that runs a self-hosted Renovate bot. It is used across
the bfra-me organization. The main branch CI includes setup, check,
test, build, analytics dashboard, and semantic release jobs. A
separate release branch is used for versioning.
Sections (in order):
- Summary metrics (issues opened since last run, currently open PRs,
stale issues/PRs count, main branch check status, security alerts
if accessible)
- Stale issues (no activity >30 days; recommend next step)
- Stale PRs (no activity >7 days; stale >14 days)
- Unassigned bugs (label bug, no assignee)
- Release health (status of release branch, latest release version,
any failed release runs)
- Recommended actions (bulleted checklist)
- Notes (use "data unavailable" for any inaccessible data source)
Do NOT comment on or modify individual issues/PRs. Do NOT apply
labels. Do NOT open PRs. This run must update ONE issue only.
AUTOHEAL_PROMPT: |
Perform daily repository autohealing for bfra-me/renovate-action — a
composite GitHub Action that runs a self-hosted Renovate bot in Docker
containers with GitHub App authentication. This action is used across
the bfra-me organization to manage dependency updates.
Read AGENTS.md for project conventions before making changes.
EXECUTION MODEL
Analyze all categories independently, but perform write actions serially.
Do not keep multiple branches checked out at once. Complete one mutation,
return to a clean working tree, then continue.
DEDUPLICATION (applies to ALL categories)
Before creating any new PR or issue, search for an existing open
bot-authored PR/issue for the same root cause. Reuse or update the
existing item instead of creating a duplicate.
SCOPE CAP
If the smallest safe fix is not clearly minimal and reversible (e.g.,
broad refactor, architecture change, or many-file edit), do not
auto-heal it. Open or update an issue and log it under "Needs Human
Attention".
DEPENDENCY OWNERSHIP
Renovate owns routine dependency/version bumps. You may change
dependency versions only when remediating a confirmed security
advisory (critical/high) or repairing an existing security-update
PR. Do not create non-security version-bump PRs, and do not batch
unrelated dependency changes into a security fix. Do NOT modify
package.json versions outside category 2 security remediation.
TRUSTED AUTHORS
Trusted PR authors for branch repair are repository
owner/collaborator with write access, or approved automation bots:
- renovate[bot]
- dependabot[bot]
- fro-bot
1. ERRORED PRs
Find open PRs with failing CI checks. Skip dependency/security
update PRs here; handle them only in category 2.
Only fix PRs whose head branch is in this repository, writable
by this token, and authored by a trusted source. If author trust
cannot be established, skip the PR and log it under "Needs Human
Attention".
If the PR touches workflows, automation prompts, package-manager
config, lockfiles, or execution scripts, do not run project commands
from that branch. Skip it and log why.
For each fixable PR:
a. Check out the PR branch.
b. Read the failing check logs to diagnose the root cause.
c. Fix the issue (type errors, lint failures, test regressions,
build breaks, dist/ inconsistencies).
d. If src/ was changed, run `pnpm build` to regenerate dist/.
e. Commit with a clear message and push to the PR branch.
f. Comment on the PR explaining what failed and what was fixed.
g. Never modify .github/workflows/ or this prompt while repairing
an errored PR. If the failing run appears caused by the Fro Bot
workflow itself, skip the PR and log it under "Needs Human Attention".
2. SECURITY
Review Dependabot/Renovate alerts and open PRs for vulnerable deps.
- If a security update PR exists but has conflicts or failures,
fix and push to that PR branch.
- For unaddressed critical/high advisories with no existing PR,
create a new PR with the remediation.
- Do NOT bulk-update unrelated deps in a security PR.
If security advisory/alert data is unavailable to the token or
CLI, skip this category and note "security alerts unavailable"
under "Needs Human Attention". Do not guess.
3. CODE QUALITY & REPO HYGIENE
This category is primarily report-only. Focus on things only a
code-aware agent can catch:
- Run `pnpm build` and verify dist/ is consistent. If src/ files
were modified but dist/ was not rebuilt, flag it.
- Run `pnpm test` and verify all tests pass.
- Run `pnpm check` (type-checking + linting) and report any
failures.
- Verify the composite action (action.yaml) is well-formed:
check that allowedCommands patterns are valid regex, that
protected fields cannot be overridden by user config, and that
template variable substitution works correctly.
- Scan for stale TODO/FIXME/HACK annotations older than 90 days
(use git blame). Collect them into a single issue or update
an existing "Stale TODOs" issue.
- Verify convention compliance: no `any` type annotations, no
`@ts-ignore`/`@ts-expect-error`, no CommonJS require() calls,
no `module.exports`, all actions in workflows pinned to full
commit SHA with version comment.
Report findings but put actual code fixes into category 4.
4. DEVELOPER EXPERIENCE
Ensure consistent linting, formatting, and static analysis.
Run `pnpm lint`; run `pnpm check-types` if not already covered
by the build in category 3. Fix any failures, including
convention violations found in category 3.
If src/ changes are needed, also run `pnpm build` to regenerate
dist/ and include the rebuilt dist/ in the same commit.
Open a PR for all fixes — never commit directly to the default
branch. Group related lint/format/convention fixes into a single
PR.
Use a clear conventional-commit title like
`chore(lint): apply auto-fixes from autohealing run`.
5. PROGRESSIVE IMPROVEMENT
Scan for opportunities to improve the action's reliability and
the bfra-me organization's dependency management:
- Check if the Renovate version in action.yaml is current.
If it is more than one minor version behind the latest
release, open or update an issue noting the gap. Do NOT
create a version-bump PR (Renovate handles this).
- Verify that the semantic release configuration (.releaserc.yaml)
is consistent and the release branch is healthy.
- Check that reusable workflow references (bfra-me/.github) are
current. If they reference an outdated version, note it in
the report.
- Review the analytics collection in action.yaml for any
issues (malformed JSON, missing error handling).
- Cross-project intelligence: check bfra-me/.github for new
automation patterns or prompt improvements that could benefit
this repository. Include only if relevant findings exist.
Report all findings under a "Progressive Improvement" section
in the summary. Do NOT make changes for this category — report
only.
Hard boundaries:
- Never force-push, rewrite history, or delete branches.
- Never push directly to the default branch. Direct pushes are
allowed only to an existing non-default PR branch you are
repairing under category 1 or category 2.
- Never merge PRs, submit reviews/approvals, close/reopen PRs or
issues, or modify branch protection. This workflow may only push
fixes, open/update PRs, open/update issues, and comment on PRs
when a fix was pushed.
- Never modify secrets, org settings, environments, or branch
protection.
- Never make checks pass by disabling tests, deleting failing
assertions, weakening lint/type rules, or editing workflows/
configuration only to suppress failures.
- Do not modify .github/workflows/, lint/test/build config, or
automation prompt files unless the failing run is caused by a
genuine bug in that file, the change is narrowly scoped, and
the summary explains why.
- If the smallest safe fix would weaken a guardrail or reduce
validation, skip it and log it under "Needs Human Attention".
- Do not create multiple summary issues.
Project conventions (MUST follow for code changes):
- TypeScript strict mode: no `any`, no `@ts-ignore`,
no `@ts-expect-error`
- Pure ESM only: no `require()`, no `module.exports`
- Package manager: pnpm (not npm/yarn)
- Build: `pnpm bootstrap` to install, `pnpm build` to bundle,
`pnpm check` for types + lint, `pnpm test` for unit tests
- YAML extension: .yaml, not .yml
- Actions pinned to full commit SHA with version tag comment
- dist/ must be rebuilt when src/ changes
OUTPUT FORMAT — PERPETUAL SINGLE ISSUE
After completing all work, find the open issue titled
"Daily Autohealing Report". If it exists, update its body with
today's findings. If not, create it.
The issue body MUST use this structure. If a section has no rows,
do not emit an empty table — write "None." directly under that
heading.
## Daily Autohealing Report — YYYY-MM-DD (UTC)
### Summary
| Category | Status | Actions |
|---------|--------|---------|
| ERRORED PRs | ✅/⚠️/❌ | description |
| SECURITY | ✅/⚠️/❌ | description |
| CODE QUALITY & REPO HYGIENE | ✅/⚠️/❌ | description |
| DEVELOPER EXPERIENCE | ✅/⚠️/❌ | description |
| PROGRESSIVE IMPROVEMENT | ✅/⚠️/❌ | description |
### Errored PRs
| PR | Failure | Fix | Status |
| --- | --- | --- | --- |
| #N | [root cause] | [what was fixed] | ✅ Fixed / ⚠️ Needs review |
### Security
| Advisory / PR | Severity | Action Taken |
| --- | --- | --- |
| [advisory or #N] | Critical/High/Medium | [fix pushed / PR created / skipped] |
### Code Quality & Repo Hygiene
| Check | Result | Action |
| --- | --- | --- |
| Build + dist/ consistency | ✅ Clean / ⚠️ Drift | [details or #N] |
| Tests | ✅ Passing / ❌ Failing | [details or #N] |
| Type check + lint | ✅ Clean / ⚠️ Issues | [details or #N] |
| Action config validation | ✅ Valid / ⚠️ Issues | [details or #N] |
| Stale TODOs | N found | [#N or None] |
| Convention compliance | ✅ Clean / ⚠️ Issues | [details or #N] |
### Developer Experience
- [list of each PR or commit-sized fix with summary link]
### Progressive Improvement
| Area | Status | Notes |
| --- | --- | --- |
| Renovate version | ✅ Current / ⚠️ Behind | [gap details] |
| Release health | ✅ Healthy / ⚠️ Issues | [details] |
| Reusable workflows | ✅ Current / ⚠️ Outdated | [details] |
| Analytics integrity | ✅ Valid / ⚠️ Issues | [details] |
| Cross-project patterns | ✅ Current / ⚠️ Available | [relevant findings] |
### Needs Human Attention
- [items that could not be auto-fixed, with context]
Do NOT create multiple issues. Do NOT comment on individual issues.
Produce exactly one summary issue per run.
jobs:
fro-bot:
name: Fro Bot
runs-on: ubuntu-latest
if: >-
(
github.event.pull_request == null ||
(
!github.event.pull_request.head.repo.fork &&
!endsWith(github.event.pull_request.user.login || '', '[bot]')
)
) && (
(
github.event_name == 'issues' &&
!endsWith(github.event.issue.user.login || '', '[bot]') &&
(github.event.issue.user.login || '') != 'fro-bot'
) ||
(
github.event_name == 'pull_request' &&
!endsWith(github.event.pull_request.user.login || '', '[bot]') &&
(github.event.pull_request.user.login || '') != 'fro-bot'
) ||
github.event_name == 'schedule' ||
github.event_name == 'workflow_dispatch' ||
inputs.prompt != '' ||
(
((
github.event_name == 'issue_comment' &&
github.event.issue.pull_request == null
) ||
github.event_name == 'pull_request_review_comment' ||
github.event_name == 'discussion_comment') &&
contains(github.event.comment.body || '', '@fro-bot') &&
(github.event.comment.user.login || '') != 'fro-bot' &&
contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association || '')
)
)
steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0
ref: >-
${{
(github.event.issue.pull_request && format('refs/pull/{0}/head', github.event.issue.number))
|| github.event.pull_request.head.sha
|| ''
}}
token: ${{ secrets.FRO_BOT_PAT }}
- name: Setup pnpm
uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
cache: pnpm
node-version-file: package.json
- name: Install dependencies
run: pnpm install
- name: Determine mode and prompt
id: resolve
env:
INPUT_MODE: ${{ github.event.inputs.mode || '' }}
INPUT_PROMPT: ${{ inputs.prompt || github.event.inputs.prompt || '' }}
PR_REVIEW_PROMPT: ${{ env.PR_REVIEW_PROMPT }}
MAINTENANCE_PROMPT: ${{ env.MAINTENANCE_PROMPT }}
AUTOHEAL_PROMPT: ${{ env.AUTOHEAL_PROMPT }}
run: |
mode="$INPUT_MODE"
if [ -z "$mode" ]; then
case "${{ github.event_name }}" in
schedule)
if echo "${{ github.event.schedule }}" | grep -q "15"; then
mode="maintenance"
else
mode="autoheal"
fi
;;
workflow_dispatch) mode="autoheal" ;;
pull_request) mode="review" ;;
*) mode="" ;;
esac
fi
case "$mode" in
review)
prompt="$PR_REVIEW_PROMPT"
;;
maintenance)
prompt="$MAINTENANCE_PROMPT"
;;
autoheal)
prompt="$AUTOHEAL_PROMPT"
;;
*)
prompt="$INPUT_PROMPT"
;;
esac
delimiter="EOF_$(openssl rand -hex 8)"
{
echo "mode<<$delimiter"
echo "$mode"
echo "$delimiter"
echo "prompt<<$delimiter"
echo "$prompt"
echo "$delimiter"
} >> "$GITHUB_OUTPUT"
- name: Run Fro Bot
uses: fro-bot/agent@0ad2bd901ba0b84af659b1bbfe9c7ecdb5fad072 # v0.53.0
env:
OPENCODE_PROMPT_ARTIFACT: 'true'
PROMPT: ${{ steps.resolve.outputs.prompt }}
with:
github-token: ${{ secrets.FRO_BOT_PAT }}
auth-json: ${{ secrets.OPENCODE_AUTH_JSON }}
model: ${{ vars.FRO_BOT_MODEL }}
omo-providers: ${{ secrets.OMO_PROVIDERS }}
opencode-config: ${{ secrets.OPENCODE_CONFIG }}
prompt: ${{ env.PROMPT }}
timeout: 0