Conversation
…ency management and releases
This merge introduces the complete automated dependency management and release pipeline for Runtime Node, closing the gap between a Dependabot Node.js base image bump and a fully tagged, published GitHub Release with zero manual steps required. The pipeline is composed of four interconnected pieces that activate in sequence whenever Dependabot detects a new Node.js version. Dependabot is configured to monitor the Docker ecosystem daily, targeting the root Dockerfile on the develop branch, and will raise a PR labelled with dependencies, docker, and node using the chore commit prefix with a one-PR-at-a-time limit. When that PR is opened, the auto-merge workflow detects it as a Dependabot PR carrying the dependencies label and immediately enables auto-merge using a merge commit strategy. Once the PR lands on develop, the release-from-develop workflow activates, extracts the Node.js version from the Dockerfile via a grep regex, reads the SemVer from the VERSION file, constructs the release branch name in the format release/v<semver>-<node_version>, pushes it to origin, and opens a structured PR to main using peter-evans/create-pull-request. When that release PR is merged into main, the tag-and-release workflow fires, recomputes the full tag, creates and pushes an annotated Git tag, and publishes a GitHub Release via actions/create-release with an auto-generated body including the resolved Node version. The VERSION file introduced at the repository root contains 1.0.0 and serves as the single source of truth for the SemVer component across both automated workflows. To trigger a major or minor SemVer bump in a future release, the VERSION file must be updated manually before the Dependabot cycle runs. There are no breaking changes to the existing PR testing or deployment workflows, and no migration steps are required.
This merge updates both CONTRIBUTING.md and README.md to accurately document the automated dependency management and release pipeline that was introduced in the previous ci/dependabot-auto-release merge. Prior to this change, neither document reflected the existence of Dependabot, the auto-merge workflow, the release-from-develop workflow, or the tag-and-release workflow — leaving contributors without an accurate reference for how releases are now produced. CONTRIBUTING.md receives the most substantial changes. The table of contents block has been removed as a housekeeping improvement. A new Automated Dependency Management section is introduced, walking through all four pipeline stages in prose: daily Dependabot Docker monitoring against develop, automatic PR merging upon detection of the dependencies label, the release-from-develop workflow reading the Node.js version from the Dockerfile and the SemVer from the VERSION file to construct a release/v<semver>-<node_version> branch and open a PR to main, and the tag-and-release workflow creating an annotated Git tag and publishing a GitHub Release. A VERSION File subsection clarifies that patch releases are fully automatic while major and minor SemVer bumps require a manual update to the VERSION file before the next Dependabot cycle. The Release Process section has been rewritten from a manual tag-push description into a numbered seven-step automated flow that now terminates with the deployment workflow publishing the multi-arch image to both registries with provenance and SBOM. README.md receives a focused addition to its CI/CD Quality Guarantees section — a new paragraph summarising the full automated pipeline for users and downstream consumers. There are no code or image changes in this merge, no migration steps required, and no behavioral impact on any workflow or published artifact.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR promotes
release/v1.1.0-24.13.1intomain, representing the second release of Runtime Node. The Node.js version remains at24.13.1— the minor SemVer bump from1.0.0to1.1.0reflects the two development cycles added todevelopsince the last release: the complete automated dependency management and release pipeline (ci/dependabot-auto-release), and the corresponding documentation updates (docs/update-documentation).Merging this PR into
mainwill make the updated codebase release-ready. Thetag-and-releaseworkflow will automatically create an annotated Git tag and publish a GitHub Release, and the existingdeployment.ymlworkflow will trigger on thev1.1.0-24.13.1tag to build and push the multi-platform image to both Docker Hub and GHCR with provenance attestations and an SBOM.Files Changed
Added:
.github/dependabot.ymlworkflows/auto-merge-dependabot.ymlrelease-from-develop.ymltag-and-release.ymlVERSIONModified:
CONTRIBUTING.mdREADME.mdDeleted:
Key Changes
.github/dependabot.yml— configures Dependabot on thedockerecosystem to monitor the rootDockerfiledaily againstdevelop, with thechorecommit prefix, a/branch separator,dependencies,docker, andnodelabels, and a one-open-PR limit..github/workflows/auto-merge-dependabot.yml— automatically enables auto-merge (merge commit strategy) on any PR where the actor isdependabot[bot]and thedependencieslabel is present, using the built-inGITHUB_TOKEN..github/workflows/release-from-develop.yml— triggered on pushes todevelopbydependabot[bot]; extracts the Node.js version from theDockerfile, reads the SemVer from theVERSIONfile, constructs arelease/v<semver>-<node_version>branch, and opens a structured PR tomainusingpeter-evans/create-pull-request@v5..github/workflows/tag-and-release.yml— triggered on pushes tomain; computes the full tag from theVERSIONfile and Dockerfile Node version, creates and pushes an annotated Git tag, and publishes a GitHub Release usingactions/create-release@v1.VERSION— a plain text file containing1.0.0serving as the SemVer source of truth for the automated release workflows.CONTRIBUTING.md— removed the table of contents, added a newAutomated Dependency Managementsection documenting all four pipeline stages and aVERSION Filesubsection, and rewrote theRelease Processsection as a numbered seven-step automated flow.README.md— added anAutomated Dependency Management & Releaseparagraph to the CI/CD Quality Guarantees section describing the full end-to-end automated pipeline for users and downstream consumers.