// Reviews, validates, and safely merges Dependabot pull requests for the sq.io site (site/, Bun lockfile). Use when clearing site dependency PRs, triaging Dependabot failures, or checking Lighthouse impact before merge.
| name | sq-site-dependabot |
| description | Reviews, validates, and safely merges Dependabot pull requests for the sq.io site (site/, Bun lockfile). Use when clearing site dependency PRs, triaging Dependabot failures, or checking Lighthouse impact before merge. |
| license | MIT |
| compatibility | Requires gh CLI (authenticated), Bun 1.2+, make, jq, curl, and network access to GitHub and Netlify. Full merges need NETLIFY_AUTH_TOKEN and NETLIFY_SITE_ID for make site-netlify-validate. |
| metadata | {"author":"Todd Papaioannou","homepage":"https://sq.io","version":"0.2.1"} |
Maintainer workflow for Dependabot PRs touching site/ or
site/bun.lock. Read AGENTS.md
for skill install paths.
Do not merge site Dependabot PRs in bulk without rebasing between merges
(shared bun.lock).
| Mode | Actions | Merge |
|---|---|---|
| Audit | List/classify; CI; ordered plan | No |
| Validate | Branch checkout; make ci | No |
| Full | Audit + validate + merge loop | Consent |
Default to Audit unless the user says "merge", "clear them", or "full".
Run first in every mode. Stop on failure.
# gh auth + site deps (bun install if needed) + make check
.agents/skills/sq-site-dependabot/scripts/check-tools.sh
# Full / Layer B (+ NETLIFY_* via make check-netlify):
.agents/skills/sq-site-dependabot/scripts/check-tools.sh --netlify
# Or: gh api user -q .login && cd site && bun install && make check-netlify
check-tools.sh runs bun install in site/ when bun x netlify-cli is missing
(fresh clone, agent sandbox). Needs network. SKIP_SITE_DEPS=1 skips that step.
Layer B (site-netlify-validate) always uses bun x netlify-cli — a global/brew
CLI does not replace bun install.
Details: references/tool-bootstrap.md.
From repository root:
gh pr list --author 'app/dependabot' --state open \
--json number,title,headRefName,mergeable,statusCheckRollup,createdAt \
--jq '.[] | select(.headRefName | test("^dependabot/"))'
Confirm each candidate touches site/ (gh pr diff <n> --name-only). Treat the list as
candidates — refine by path if the filter is too broad.
For each PR:
site/.Read references/risk-tiers.md before ordering merges. Package notes: references/high-risk-packages.md.
Produce an ordered plan (T0 → T1 → T2; hold T3/T4).
Checkout the PR branch. From site/:
make deps # if needed after checkout
make ci # matches Site CI (necessary, not sufficient for Netlify)
Pin Bun to site/netlify.toml BUN_VERSION and
site-ci.yml.
Optional: make site-lighthouse for T2+ when preview Lighthouse is unclear.
After make ci on the PR branch:
gh pr view <n> --json headRefOid,mergeable,statusCheckRollupgh pr checks <n> — Netlify check success on current headRefOid@netlify/plugin-lighthouse on preview if availableIf pending: poll ~5 min. If failed: do not merge; run
debug-netlify-pr.sh <n> or see references/netlify-build-debug.md;
recovery steps in references/merge-failures.md.
From site/ on the PR branch (after Layer A is green on the same head):
# site/.env from .env.example (see tool-bootstrap.md)
export MESSAGE="PR #NNN dependabot <package>" # optional
make site-netlify-validate
See references/netlify-cli-validate.md.
Full mode sequence:
check-tools --netlify → make ci → Layer A → site-netlify-validate → merge
Without site/.env, do not run Full automation; document degraded path
in the verdict.
Only with explicit user consent per PR or batch.
Template script (sets CONFIRM_MERGE=1 only after consent). Checkout the PR
first; working tree must match headRefOid (clean tree, or ALLOW_DIRTY_TREE=1):
gh pr checkout 573
CONFIRM_MERGE=1 PR=573 MESSAGE="dependabot shx" \
./.agents/skills/sq-site-dependabot/scripts/merge-next.sh
merge-next.sh enforces Layer A (gh pr checks), HEAD = headRefOid, then Layer B.
Happy path:
headRefOid)make site-netlify-validate (Layer B)gh pr review <n> --approve --body "…"gh pr merge <n> --squash --delete-branch (default; no --admin)gh pr comment <next> --body "@dependabot rebase"gh pr view <next> --json mergeable every 10s (max ~5 min)Admin merge only when user explicitly requests and checks are green but merge
is blocked: gh pr merge <n> --squash --admin --delete-branch.
Failures: references/merge-failures.md.
Per PR (GitHub comment or chat):
## Dependabot PR #NNN — <package>
- **Tier:** T0–T4
- **Site CI:** pass / fail (root cause)
- **Netlify preview (A):** URL + check on head SHA
- **Netlify CLI (B):** deploy_id, deploy_url, state (or skipped)
- **Lighthouse:** perf/a11y/bp/seo deltas (or N/A)
- **Local `make ci`:** pass / fail
- **Verdict:** merge | hold | close + migration PR
- **Next step:** …
site-netlify-validatecheck, ci, validate, LighthouseGuides use of the sq CLI to query SQL databases and tabular files with SLQ (sq's jq-like query language) or native SQL, manage sources, choose output formats, and run inspect, diff, and table commands. Use when the user mentions sq, SLQ, wrangling CSV/Excel/JSON/DB data, cross-source joins, or command-line data pipelines after installing sq from https://sq.io.
Reviews and merges Dependabot pull requests for Go modules (gomod) at the sq repo root. Use for dependabot gomod PRs, go.mod/go.sum updates, and Go module security bumps—not site/ Bun PRs.