{"id":48220244,"url":"https://github.com/datagrail/dependabot-automerge-simulator","last_synced_at":"2026-04-04T19:09:07.765Z","repository":{"id":346462806,"uuid":"1190087936","full_name":"datagrail/dependabot-automerge-simulator","owner":"datagrail","description":"Test repository for dependabot-automerge","archived":false,"fork":false,"pushed_at":"2026-04-01T01:28:20.000Z","size":368,"stargazers_count":0,"open_issues_count":9,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-01T03:59:23.760Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/datagrail.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-24T00:38:56.000Z","updated_at":"2026-03-27T01:16:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/datagrail/dependabot-automerge-simulator","commit_stats":null,"previous_names":["datagrail/dependabot-automerge-simulator"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/datagrail/dependabot-automerge-simulator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datagrail%2Fdependabot-automerge-simulator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datagrail%2Fdependabot-automerge-simulator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datagrail%2Fdependabot-automerge-simulator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datagrail%2Fdependabot-automerge-simulator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/datagrail","download_url":"https://codeload.github.com/datagrail/dependabot-automerge-simulator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/datagrail%2Fdependabot-automerge-simulator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31409471,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-04T19:09:07.180Z","updated_at":"2026-04-04T19:09:07.760Z","avatar_url":"https://github.com/datagrail.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dependabot-automerge-simulator\n\nTest repository for [dependabot-automerge](https://github.com/datagrail/dependabot-automerge). Contains real package manifests with pinned old versions so Dependabot creates authentic PRs that exercise each decision branch of the automerge tool.\n\n## Ecosystems\n\n| Directory | Ecosystem | Dependabot type |\n|---|---|---|\n| `python/` | pip | version updates + security updates |\n| `ruby/` | bundler | version updates + security updates |\n| `javascript/` | npm | version updates + security updates |\n\n## Scenarios covered\n\nEach ecosystem pins packages at versions that produce specific automerge outcomes:\n\n| Scenario | Package | Pinned version | Expected outcome |\n|---|---|---|---|\n| Security fix (minor) | `requests` (Python) | 2.27.1 | Immediate merge — CVE-2023-32681 fixed in 2.31.0 |\n| Major version bump | `Flask` (Python) | 2.3.3 | Labeled \"Human Needed\" — 2.x → 3.x |\n| Routine minor/patch | `certifi` (Python) | 2023.7.22 | Merged after cooldown |\n| Routine minor/patch | `urllib3` (Python) | 1.26.12 | Merged after cooldown (or major bump to 2.x) |\n| Security fix (patch) | `rack` (Ruby) | 2.2.3 | Immediate merge — multiple CVEs fixed in 2.2.6.3+ |\n| Major version bump | `rake` (Ruby) | 12.3.3 | Labeled \"Human Needed\" — 12.x → 13.x |\n| Routine minor/patch | `json` (Ruby) | 2.7.0 | Merged after cooldown |\n| Security fix (minor) | `lodash` (JS) | 4.17.11 | Immediate merge — CVE-2020-8203 fixed in 4.17.21 |\n| Major version bump | `axios` (JS) | 0.27.2 | Labeled \"Human Needed\" — 0.x → 1.x |\n| Routine minor/patch | `express` (JS) | 4.17.3 | Merged after cooldown (or major bump if Express 5.x) |\n\n**Foreign commits** — manual scenario: after Dependabot creates any PR, push one extra commit to its branch from your own account. The next automerge run will label it \"Human Needed\" with reason \"foreign commits detected\".\n\n## How the baseline/reset system works\n\nThe simulator uses a **`baseline` branch** to maintain the known-good state where all dependencies are pinned at vulnerable/old versions. This branch is the \"reset point\" — the file state the repo returns to after each test cycle.\n\n### Lifecycle\n\n```\n1. baseline branch holds the vulnerable state (old deps + app code)\n2. Dependabot opens PRs to bump each dependency\n3. You run dependabot-automerge to test classification/merging\n4. ./scripts/reset.sh commits baseline's file state onto main\n5. Dependabot recreates its PRs against the reset main\n```\n\n### Automatic baseline tracking\n\nThe `update-baseline` workflow (`.github/workflows/update-baseline.yml`) runs on every push to main:\n\n- **Non-Dependabot commit** (human work): cherry-picks it onto the `baseline` branch so new ecosystems, app code, CI changes, etc. automatically become part of the reset point.\n- **Reset commit** (message starts with `Reset:`): skipped — these restore baseline state and don't need to be cherry-picked back.\n- **Dependabot commit**: fails the workflow with an error. A Dependabot commit on main means the simulator is \"dirty\" and needs resetting.\n\n### What the reset script does\n\n`./scripts/reset.sh` performs these steps:\n\n1. **Overlays the baseline file state** onto main using `git checkout origin/baseline -- .` and commits it as a normal forward commit. No force pushing.\n2. **Updates the `last-reset` date** in `dependabot.yml` to trigger a Dependabot rescan.\n3. **Comments `@dependabot recreate`** on all open Dependabot PRs so they rebuild against the reset main. PRs are never closed or deleted — this avoids Dependabot's \"won't notify you again\" behavior.\n\n## Running dependabot-automerge against this repo\n\n```bash\n# Dry run — classify PRs without merging anything\nGH_TOKEN=\u003ctoken\u003e uv run automerge \\\n  --org datagrail \\\n  --repos dependabot-automerge-simulator \\\n  --dry-run\n\n# Bypass cooldown to test routine merge flow\nGH_TOKEN=\u003ctoken\u003e uv run automerge \\\n  --org datagrail \\\n  --repos dependabot-automerge-simulator \\\n  --cooldown-days 0 \\\n  --dry-run\n\n# Keep all routine PRs in cooldown (security merges only)\nGH_TOKEN=\u003ctoken\u003e uv run automerge \\\n  --org datagrail \\\n  --repos dependabot-automerge-simulator \\\n  --cooldown-days 999 \\\n  --dry-run\n```\n\n## Resetting\n\nAfter a test run (especially a live run), reset the repo so Dependabot recreates fresh PRs:\n\n```bash\n./scripts/reset.sh\n```\n\nTo trigger version update scans immediately rather than waiting for the daily schedule, visit:\n\n```\nhttps://github.com/datagrail/dependabot-automerge-simulator/network/updates\n```\n\nand click **\"Check for updates\"** next to each ecosystem.\n\n## Adding a new ecosystem\n\nSee [ADDING_ECOSYSTEMS.md](./ADDING_ECOSYSTEMS.md).\n\n## Branch protection\n\nThe `main` branch requires the `tests-passed` CI check to pass. This check gates Dependabot PR merges and ensures the CI workflow is exercised end-to-end.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatagrail%2Fdependabot-automerge-simulator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatagrail%2Fdependabot-automerge-simulator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatagrail%2Fdependabot-automerge-simulator/lists"}