// Reviews, validates, and safely merges Dependabot pull requests for the sq.io site (site/, Bun lockfile). Use when clearing site dependency PRs, triaging Dependabot failures, or checking Lighthouse impact before merge.
Guides use of the sq CLI to query SQL databases and tabular files with SLQ (sq's jq-like query language) or native SQL, manage sources, choose output formats, and run inspect, diff, and table commands. Use when the user mentions sq, SLQ, wrangling CSV/Excel/JSON/DB data, cross-source joins, or command-line data pipelines after installing sq from https://sq.io.
Reviews and merges Dependabot pull requests for Go modules (gomod) at the sq repo root. Use for dependabot gomod PRs, go.mod/go.sum updates, and Go module security bumps—not site/ Bun PRs.
| name | sq-site-dependabot |
| description | Reviews, validates, and safely merges Dependabot pull requests for the sq.io site (site/, Bun lockfile). Use when clearing site dependency PRs, triaging Dependabot failures, or checking Lighthouse impact before merge. |
| license | MIT |
| compatibility | Requires gh CLI (authenticated), Bun 1.2+, make, jq, curl, and network access to GitHub and Netlify. Full merges need NETLIFY_AUTH_TOKEN and NETLIFY_SITE_ID for make site-netlify-validate. |
| metadata | {"author":"Todd Papaioannou","homepage":"https://sq.io","version":"0.2.1"} |
Maintainer workflow for Dependabot PRs touching site/ or
site/bun.lock. Read AGENTS.md
for skill install paths.
Do not merge site Dependabot PRs in bulk without rebasing between merges
(shared bun.lock).
| Mode | Actions | Merge |
|---|---|---|
| Audit | List/classify; CI; ordered plan | No |
| Validate | Branch checkout; make ci | No |
| Full | Audit + validate + merge loop | Consent |
Default to Audit unless the user says "merge", "clear them", or "full".
Run first in every mode. Stop on failure.
# gh auth + site deps (bun install if needed) + make check
.agents/skills/sq-site-dependabot/scripts/check-tools.sh
# Full / Layer B (+ NETLIFY_* via make check-netlify):
.agents/skills/sq-site-dependabot/scripts/check-tools.sh --netlify
# Or: gh api user -q .login && cd site && bun install && make check-netlify
check-tools.sh runs bun install in site/ when bun x netlify-cli is missing
(fresh clone, agent sandbox). Needs network. SKIP_SITE_DEPS=1 skips that step.
Layer B (site-netlify-validate) always uses bun x netlify-cli — a global/brew
CLI does not replace bun install.
Details: references/tool-bootstrap.md.
From repository root:
gh pr list --author 'app/dependabot' --state open \
--json number,title,headRefName,mergeable,statusCheckRollup,createdAt \
--jq '.[] | select(.headRefName | test("^dependabot/"))'
Confirm each candidate touches site/ (gh pr diff <n> --name-only). Treat the list as
candidates — refine by path if the filter is too broad.
For each PR:
site/.Read references/risk-tiers.md before ordering merges. Package notes: references/high-risk-packages.md.
Produce an ordered plan (T0 → T1 → T2; hold T3/T4).
Checkout the PR branch. From site/:
make deps # if needed after checkout
make ci # matches Site CI (necessary, not sufficient for Netlify)
Pin Bun to site/netlify.toml BUN_VERSION and
site-ci.yml.
Optional: make site-lighthouse for T2+ when preview Lighthouse is unclear.
After make ci on the PR branch:
gh pr view <n> --json headRefOid,mergeable,statusCheckRollupgh pr checks <n> — Netlify check success on current headRefOid@netlify/plugin-lighthouse on preview if availableIf pending: poll ~5 min. If failed: do not merge; run
debug-netlify-pr.sh <n> or see references/netlify-build-debug.md;
recovery steps in references/merge-failures.md.
From site/ on the PR branch (after Layer A is green on the same head):
# site/.env from .env.example (see tool-bootstrap.md)
export MESSAGE="PR #NNN dependabot <package>" # optional
make site-netlify-validate
See references/netlify-cli-validate.md.
Full mode sequence:
check-tools --netlify → make ci → Layer A → site-netlify-validate → merge
Without site/.env, do not run Full automation; document degraded path
in the verdict.
Only with explicit user consent per PR or batch.
Template script (sets CONFIRM_MERGE=1 only after consent). Checkout the PR
first; working tree must match headRefOid (clean tree, or ALLOW_DIRTY_TREE=1):
gh pr checkout 573
CONFIRM_MERGE=1 PR=573 MESSAGE="dependabot shx" \
./.agents/skills/sq-site-dependabot/scripts/merge-next.sh
merge-next.sh enforces Layer A (gh pr checks), HEAD = headRefOid, then Layer B.
Happy path:
headRefOid)make site-netlify-validate (Layer B)gh pr review <n> --approve --body "…"gh pr merge <n> --squash --delete-branch (default; no --admin)gh pr comment <next> --body "@dependabot rebase"gh pr view <next> --json mergeable every 10s (max ~5 min)Admin merge only when user explicitly requests and checks are green but merge
is blocked: gh pr merge <n> --squash --admin --delete-branch.
Failures: references/merge-failures.md.
Per PR (GitHub comment or chat):
## Dependabot PR #NNN — <package>
- **Tier:** T0–T4
- **Site CI:** pass / fail (root cause)
- **Netlify preview (A):** URL + check on head SHA
- **Netlify CLI (B):** deploy_id, deploy_url, state (or skipped)
- **Lighthouse:** perf/a11y/bp/seo deltas (or N/A)
- **Local `make ci`:** pass / fail
- **Verdict:** merge | hold | close + migration PR
- **Next step:** …
site-netlify-validatecheck, ci, validate, Lighthouse