{"id":29274449,"url":"https://github.com/stacksjs/buddy-bot","last_synced_at":"2026-02-10T18:11:27.556Z","repository":{"id":272049185,"uuid":"915332409","full_name":"stacksjs/buddy-bot","owner":"stacksjs","description":"🐶 Automated \u0026 optimized dependency updates for JavaScript \u0026 TypeScript projects. Like Renovate \u0026 Dependabot.","archived":false,"fork":false,"pushed_at":"2026-02-05T03:01:38.000Z","size":4428,"stargazers_count":8,"open_issues_count":11,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-05T11:41:58.730Z","etag":null,"topics":["automated","dependabot","dependency","launchpad","npm","php","renovate","typescript","updates","zig"],"latest_commit_sha":null,"homepage":"https://buddy.sh","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stacksjs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["stacksjs","chrisbbreuer"],"open_collective":"stacksjs"}},"created_at":"2025-01-11T15:20:15.000Z","updated_at":"2026-02-04T23:40:34.000Z","dependencies_parsed_at":"2025-01-11T18:32:33.726Z","dependency_job_id":"1ecdf15f-f9b9-4a74-bfae-05a70f2693c7","html_url":"https://github.com/stacksjs/buddy-bot","commit_stats":null,"previous_names":["stacksjs/buddy","stacksjs/buddy-bot"],"tags_count":85,"template":false,"template_full_name":null,"purl":"pkg:github/stacksjs/buddy-bot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksjs%2Fbuddy-bot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksjs%2Fbuddy-bot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksjs%2Fbuddy-bot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksjs%2Fbuddy-bot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stacksjs","download_url":"https://codeload.github.com/stacksjs/buddy-bot/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacksjs%2Fbuddy-bot/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29310162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-10T17:48:59.043Z","status":"ssl_error","status_checked_at":"2026-02-10T17:45:37.240Z","response_time":65,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automated","dependabot","dependency","launchpad","npm","php","renovate","typescript","updates","zig"],"created_at":"2025-07-05T04:13:18.353Z","updated_at":"2026-02-10T18:11:27.543Z","avatar_url":"https://github.com/stacksjs.png","language":"TypeScript","funding_links":["https://github.com/sponsors/stacksjs","https://github.com/sponsors/chrisbbreuer","https://opencollective.com/stacksjs"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/stacksjs/buddy/blob/main/.github/art/cover.jpg?raw=true\" alt=\"Social Card of this repo\"\u003e\u003c/p\u003e\n\n[![npm version][npm-version-src]][npm-version-href]\n[![GitHub Actions][github-actions-src]][github-actions-href]\n[![Commitizen friendly](https://img.shields.io/badge/commitizen-friendly-brightgreen.svg)](http://commitizen.github.io/cz-cli/)\n\u003c!-- [![npm downloads][npm-downloads-src]][npm-downloads-href] --\u003e\n\u003c!-- [![Codecov][codecov-src]][codecov-href] --\u003e\n\n# 🐶 Buddy Bot\n\n\u003e The fastest, most intelligent dependency management bot for modern JavaScript and TypeScript projects _(and PHP, Zig)_.\n\nBuddy Bot is a lightning-fast alternative to Dependabot and Renovate, purpose-built for modern JavaScript, TypeScript, PHP, and Zig ecosystems. It intelligently scans your projects, detects outdated \u0026 deprecated dependencies across multiple package managers, and creates beautifully formatted pull requests with comprehensive changelogs and metadata.\n\n![Buddy Bot Pull Request Example](.github/art/screenshot.png)\n\n## Features\n\n### 🚀 **Performance \u0026 Speed**\n\n- **Lightning Fast Execution**: _Built with Bun for maximum performance_\n- **Intelligent Scanning**: _Uses `bun outdated` and GitHub releases API for accurate, real-time dependency detection_\n- **Optimized CI/CD**: _Minimal resource usage with smart caching_\n\n### 📦 **Universal Package Support**\n\n- **Multi-Package Manager**: _Full support for Bun, npm, yarn, pnpm, Composer, Zig, pkgx \u0026 Launchpad_\n- **GitHub Actions**: _Automatically updates workflow dependencies (`actions/checkout@v4`, etc.)_\n- **Docker Images**: _Detects and updates Dockerfile base images and versions_\n- **Zig Dependencies**: _Manages build.zig.zon dependencies with URL and hash tracking_\n- **Lock File Awareness**: _Respects and updates all lock file formats_\n\n### 🎯 **Smart Dependency Management**\n\n- **Configurable Update Strategies**: _Choose from major, minor, patch, or all updates_\n- **Flexible Package Grouping**: _Group related packages for cleaner, focused PRs_\n- **Intelligent Conflict Detection**: _Prevents breaking changes with smart dependency analysis_\n- **Security-First Updates**: _Prioritizes security patches and vulnerability fixes_\n\n### 📊 **Rich Dashboard \u0026 Monitoring**\n\n- **Dependency Dashboard**: _Centralized GitHub issue with complete dependency overview_\n- **Interactive Rebase**: _One-click PR updates via checkbox interface_\n- **Real-time Status Tracking**: _Live monitoring of all open PRs and pending updates_\n- **Comprehensive Reporting**: _Detailed update summaries with confidence metrics_\n\n### 🎨 **Beautiful Pull Requests**\n\n- **Multi-Format Tables**: _Separate sections for npm, PHP/Composer, Zig, pkgx/Launchpad, and GitHub Actions_\n- **Rich Metadata**: _Confidence badges, adoption metrics, age indicators, and download stats_\n- **Detailed Changelogs**: _Automatic release notes and breaking change detection_\n- **Professional Formatting**: _Clean, readable PR descriptions with proper categorization_\n\n### ⚙️ **Developer Experience**\n\n- **Zero Configuration**: _Works immediately with intelligent defaults_\n- **Interactive Setup**: _Renovate-like guided configuration with validation_\n- **Migration Tools**: _Seamless import from existing Renovate and Dependabot setups_\n- **TypeScript Config**: _Full type safety with `buddy-bot.config.ts`_\n\n### 🔌 **Extensible Integration**\n\n- **Plugin Ecosystem**: _Built-in Slack, Discord, and Jira integrations_\n- **Custom Hooks**: _Extensible system for organization-specific workflows_\n- **CI/CD Ready**: _Pre-built GitHub Actions workflows for all use cases_\n- **API Access**: _Programmatic control for advanced automation_\n\n## Quick Start\n\n```bash\n# Install globally\nbun add -g buddy-bot\n\n# Interactive setup (recommended)\nbuddy-bot setup\n\n# Non-interactive setup for CI/CD\nbuddy-bot setup --non-interactive\n\n# Non-interactive with specific preset\nbuddy-bot setup --non-interactive --preset testing --verbose\n\n# Or run directly for scanning only\nbuddy-bot scan\n```\n\n## Usage\n\n### Interactive Setup\n\nThe easiest way to get started is with the interactive setup command:\n\n```bash\nbuddy-bot setup\n```\n\nThis comprehensive setup wizard will guide you through configuring automated dependency updates for your project in a Renovate-like experience.\n\n### Non-Interactive Setup\n\nFor CI/CD pipelines and automated deployments, use the non-interactive mode:\n\n```bash\n# Basic non-interactive setup (uses defaults)\nbuddy-bot setup --non-interactive\n\n# Specify preset and token setup\nbuddy-bot setup --non-interactive --preset testing --token-setup existing-secret --verbose\n\n# Production setup with security focus\nbuddy-bot setup --non-interactive --preset security --token-setup existing-secret\n```\n\n**Available options:**\n\n- `--non-interactive` - Skip all prompts, use defaults\n- `--preset \u003ctype\u003e` - Workflow preset: `standard`, `high-frequency`, `security`, `minimal`, `testing` (default: `standard`)\n- `--token-setup \u003ctype\u003e` - Token mode: `default-token`, `existing-secret`, `new-pat` (default: `default-token`)\n\nThe setup process includes:\n\n**🔍 Pre-flight Validation**\n\n- **Environment checks** - Validates git repository, Node.js/Bun installation\n- **Conflict detection** - Scans for existing dependency management tools (Renovate, Dependabot)\n- **Git configuration** - Ensures proper git user setup\n- **GitHub CLI detection** - Suggests helpful tools for authentication\n\n**📊 Smart Project Analysis**\n\n- **Project type detection** - Identifies library, application, monorepo, or unknown projects\n- **Package manager detection** - Detects Bun, npm, yarn, pnpm with lock file validation\n- **Dependency ecosystem analysis** - Finds pkgx, Launchpad dependency files\n- **GitHub Actions discovery** - Scans existing workflows for updates\n- **Intelligent recommendations** - Suggests optimal setup based on project characteristics\n\n**📈 Interactive Progress Tracking**\n\n- **Visual progress bar** - Real-time completion percentage with progress indicators\n- **Step-by-step guidance** - Clear indication of current and completed steps\n- **Time tracking** - Setup duration monitoring\n- **Recovery capabilities** - Resume from failures with detailed error reporting\n\n**📋 Step 1: Configuration Migration \u0026 Discovery**\n\n- **Tool Detection** - Automatically detects existing Renovate and Dependabot configurations\n- **Seamless Migration** - Imports settings, schedules, package rules, and ignore patterns\n- **Compatibility Analysis** - Identifies incompatible features and provides alternatives\n- **Migration Report** - Detailed summary of migrated settings and confidence levels\n\n**🔌 Step 2: Integration Discovery**\n\n- **Plugin Discovery** - Automatically detects available integrations (Slack, Discord, Jira)\n- **Environment Detection** - Scans for webhook URLs, API tokens, and configuration files\n- **Plugin Loading** - Enables discovered integrations for setup completion notifications\n- **Custom Plugins** - Supports custom plugin definitions in `.buddy/plugins/` directory\n\n**🔍 Step 3: Repository Detection \u0026 Validation**\n\n- Automatically detects your GitHub repository from git remote\n- **API validation** - Tests repository access and permissions via GitHub API\n- **Repository health checks** - Validates issues, permissions, and settings\n- **Private repository support** - Enhanced validation for private repositories\n\n**🔑 Step 4: Enhanced Token Setup**\n\n- Guides you through creating a Personal Access Token (PAT)\n- **Scope validation** - Explains required scopes (`repo`, `workflow`) with examples\n- **Token testing** - Validates token permissions before proceeding\n- Helps set up repository secrets for enhanced features\n\n**🔧 Step 5: Repository Settings Validation**\n\n- Walks you through GitHub Actions permissions configuration\n- **Permission verification** - Tests workflow permissions in real-time\n- **Organization settings** - Guidance for organization-level permissions\n- Ensures proper workflow permissions for PR creation\n\n**⚙️ Step 6: Intelligent Workflow Configuration**\nChoose from several carefully crafted presets with smart recommendations:\n\n- **Standard Setup (Recommended)** - Dashboard updates 3x/week, balanced dependency updates\n- **High Frequency** - Check for updates multiple times per day\n- **Security Focused** - Frequent patch updates with security-first approach\n- **Minimal Updates** - Weekly checks, lower frequency\n- **Development/Testing** - Manual triggers + frequent checks for testing\n- **Custom Configuration** - Advanced schedule builder with cron preview\n\n**📝 Step 7: Enhanced Configuration Generation**\n\n- Creates `buddy-bot.config.json` with repository-specific settings\n- **Project-aware defaults** - Configuration optimized for detected project type\n- **Ecosystem integration** - Includes detected package managers and dependency files\n- Includes sensible defaults and customization options\n\n**🔄 Step 8: Workflow Generation \u0026 Validation**\n\n- Generates three core GitHub Actions workflows:\n  - `buddy-dashboard.yml` - Dependency Dashboard Management\n  - `buddy-check.yml` - Auto-rebase PR checker\n  - `buddy-update.yml` - Scheduled dependency updates\n- **YAML validation** - Ensures generated workflows are syntactically correct\n- **Security best practices** - Validates token usage and permissions\n- **Workflow testing** - Verifies generated workflows meet requirements\n\n**🎯 Step 9: Comprehensive Validation \u0026 Instructions**\n\n- **Setup verification** - Validates all generated files and configurations\n- **Workflow testing** - Tests generated workflow syntax and requirements\n- **Clear next steps** - Git commands and repository setup instructions\n- **Documentation links** - Direct links to GitHub settings pages\n- **Troubleshooting guide** - Common issues and solutions\n\n**🔌 Step 10: Integration Notifications**\n\n- **Plugin Execution** - Executes loaded integration hooks for setup completion\n- **Slack Notifications** - Rich setup completion messages with repository details\n- **Discord Embeds** - Colorful setup completion notifications with project information\n- **Jira Tickets** - Automatic task creation for tracking setup completion\n- **Custom Hooks** - Extensible system for organization-specific integrations\n\n### Command Line Interface\n\n```bash\n# Setup commands\nbuddy setup                                    # Interactive setup (recommended)\nbuddy setup --non-interactive                 # Non-interactive with defaults\nbuddy setup --non-interactive --preset testing --verbose\n\n# Scan for dependency updates\nbuddy scan\nbuddy scan --verbose\n\n# Check specific packages\nbuddy scan --packages \"react,typescript,@types/node\"\n\n# Check packages with glob patterns\nbuddy scan --pattern \"@types/*\"\n\n# Apply different update strategies\nbuddy scan --strategy minor\nbuddy scan --strategy patch\n\n# Update dependencies and create PRs\nbuddy update --dry-run\nbuddy update\n\n# Check for rebase requests and update PRs\nbuddy update-check\nbuddy update-check --dry-run\nbuddy update-check --verbose\n\n# Get help\nbuddy help\n```\n\n### Configuration\n\nCreate a `buddy-bot.config.ts` file in your project root:\n\n```typescript\nimport type { BuddyBotConfig } from 'buddy-bot'\n\nconst config: BuddyBotConfig = {\n  verbose: false,\n\n  // Repository settings for PR creation\n  repository: {\n    provider: 'github',\n    owner: 'your-org',\n    name: 'your-repo',\n    token: process.env.GITHUB_TOKEN,\n    baseBranch: 'main'\n  },\n\n  // Package update configuration\n  packages: {\n    strategy: 'all', // 'major' | 'minor' | 'patch' | 'all'\n    ignore: [\n      'legacy-package',\n      '@types/node' // Example ignores\n    ],\n    groups: [\n      {\n        name: 'TypeScript Types',\n        patterns: ['@types/*'],\n        strategy: 'minor'\n      },\n      {\n        name: 'ESLint Ecosystem',\n        patterns: ['eslint*', '@typescript-eslint/*'],\n        strategy: 'patch'\n      }\n    ]\n  },\n\n  // Pull request settings\n  pullRequest: {\n    titleFormat: 'chore(deps): {title}',\n    commitMessageFormat: 'chore(deps): {message}',\n    reviewers: ['maintainer1', 'maintainer2'],\n    labels: ['dependencies', 'automated'],\n    autoMerge: {\n      enabled: true,\n      strategy: 'squash', // 'merge', 'squash', or 'rebase'\n      conditions: ['patch-only'] // Only auto-merge patch updates\n    }\n  },\n\n  // Dependency dashboard settings\n  dashboard: {\n    enabled: true,\n    title: 'Dependency Dashboard',\n    pin: true,\n    labels: ['dependencies', 'dashboard'],\n    assignees: ['maintainer1'],\n    showOpenPRs: true,\n    showDetectedDependencies: true\n  }\n}\n\nexport default config\n```\n\n## Configuration Migration\n\nBuddy Bot can automatically migrate your existing dependency management configurations from Renovate and Dependabot, making the transition seamless.\n\n### Supported Migration Sources\n\n- **Renovate** - `renovate.json`, `.renovaterc`, package.json renovate config\n- **Dependabot** - `.github/dependabot.yml`, `.github/dependabot.yaml`\n\n### Migration Process\n\n1. **Automatic Detection** - Scans for existing configuration files\n2. **Smart Conversion** - Maps settings to Buddy Bot equivalents\n3. **Compatibility Check** - Identifies unsupported features\n4. **Migration Report** - Provides detailed conversion summary\n\n```bash\n# Migration happens automatically during setup\nbuddy-bot setup\n\n# Or use programmatically\nimport { ConfigurationMigrator } from 'buddy-bot/setup'\n\nconst migrator = new ConfigurationMigrator()\nconst tools = await migrator.detectExistingTools()\nconst result = await migrator.migrateFromRenovate('renovate.json')\n```\n\n### Migrated Settings\n\n| Renovate | Dependabot | Buddy Bot | Notes |\n|----------|------------|-----------|-------|\n| `schedule` | `schedule.interval` | Workflow presets | Mapped to Standard/High-Frequency/Minimal |\n| `packageRules` | `ignore` | Package groups \u0026 ignore lists | Preserves grouping logic |\n| `automerge` | N/A | Auto-merge settings | Includes strategy preferences |\n| `assignees`/`reviewers` | N/A | PR configuration | Maintains team assignments |\n\n## Integration Ecosystem\n\nBuddy Bot includes an extensible plugin system that enables integrations with popular collaboration and project management tools.\n\n### Built-in Integrations\n\n#### Slack Integration\n\n```bash\n# Set environment variable\nexport SLACK_WEBHOOK_URL=\"https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK\"\n\n# Or create config file\necho \"https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK\" \u003e .buddy/slack-webhook\n```\n\n**Features:**\n\n- Rich setup completion notifications\n- Repository and project details\n- Error notifications for setup failures\n- Configurable channel and username\n\n#### Discord Integration\n\n```bash\n# Set environment variable\nexport DISCORD_WEBHOOK_URL=\"https://discord.com/api/webhooks/YOUR/DISCORD/WEBHOOK\"\n\n# Or create config file\necho \"https://discord.com/api/webhooks/YOUR/DISCORD/WEBHOOK\" \u003e .buddy/discord-webhook\n```\n\n**Features:**\n\n- Colorful embed notifications\n- Project type and package manager details\n- Timestamp tracking\n- Setup completion confirmations\n\n#### Jira Integration\n\n```bash\n# Set environment variables\nexport JIRA_API_TOKEN=\"your-jira-api-token\"\nexport JIRA_BASE_URL=\"https://your-org.atlassian.net\"\nexport JIRA_PROJECT_KEY=\"BUDDY\"  # Optional, defaults to BUDDY\n```\n\n**Features:**\n\n- Automatic ticket creation for setup completion\n- Repository and project context\n- Configurable project keys\n- Setup tracking and documentation\n\n### Custom Plugins\n\nCreate custom integrations by defining plugins in `.buddy/plugins/`:\n\n```jsonc\n// .buddy/plugins/custom-integration.json\n{\n  \"name\": \"custom-integration\",\n  \"version\": \"1.0.0\",\n  \"enabled\": true,\n  \"triggers\": [\n    { \"event\": \"setup_complete\" },\n    { \"event\": \"validation_error\" }\n  ],\n  \"hooks\": [\n    {\n      \"name\": \"custom-notification\",\n      \"priority\": 10,\n      \"async\": true,\n      \"handler\": \"// Custom JavaScript function\"\n    }\n  ],\n  \"configuration\": {\n    \"webhook_url\": \"https://your-custom-webhook.com/notify\",\n    \"api_key\": \"your-api-key\"\n  }\n}\n```\n\n### Plugin Events\n\n| Event | Description | Context |\n|-------|-------------|---------|\n| `pre_setup` | Before setup begins | Initial configuration |\n| `post_setup` | After setup completes | Full setup context |\n| `step_complete` | After each setup step | Step-specific progress |\n| `validation_error` | When validation fails | Error details and recovery |\n| `setup_complete` | Final setup completion | Complete project context |\n\n### Programmatic Usage\n\n```typescript\nimport { Buddy, ConfigManager } from 'buddy-bot'\n\n// Load configuration\nconst config = await ConfigManager.loadConfig()\n\n// Create Buddy instance\nconst buddy = new Buddy(config)\n\n// Scan for updates\nconst scanResult = await buddy.scanForUpdates()\n\nconsole.log(`Found ${scanResult.updates.length} updates`)\n\n// Check specific packages\nconst updates = await buddy.checkPackages(['react', 'typescript'])\n\n// Create pull requests\nif (scanResult.updates.length \u003e 0) {\n  await buddy.createPullRequests(scanResult)\n}\n\n// Create or update dependency dashboard\nconst dashboardIssue = await buddy.createOrUpdateDashboard()\nconsole.log(`Dashboard updated: ${dashboardIssue.url}`)\n```\n\n## Dependency Dashboard\n\nThe dependency dashboard provides a centralized view of all your repository's dependencies and open pull requests in a single GitHub issue. Similar to Renovate's dependency dashboard, it gives you complete visibility into your dependency management.\n\n### Key Features\n\n- **📊 Single Overview**: All dependencies and PRs in one place\n- **🔄 Interactive Controls**: Force retry/rebase PRs by checking boxes\n- **📌 Pinnable Issue**: Keep dashboard at the top of your issues\n- **🏷️ Smart Categorization**: Organized by npm, GitHub Actions, and dependency files\n- **⚡ Auto-Updates**: Refreshes when dependencies change\n\n## Rebase Functionality\n\nBuddy Bot includes powerful rebase functionality that allows you to update existing pull requests with the latest dependency versions, similar to Renovate's rebase feature.\n\n### How It Works\n\nAll Buddy Bot pull requests include a rebase checkbox at the bottom:\n\n```markdown\n---\n - [ ] \u003c!-- rebase-check --\u003eIf you want to update/retry this PR, check this box\n---\n```\n\n### Using the Rebase Feature\n\n1. **Check the box**: In any Buddy Bot PR, check the rebase checkbox\n2. **Automatic detection**: The rebase workflow runs every minute to detect checked boxes\n3. **Updates applied**: The PR is automatically updated with the latest dependency versions\n4. **Checkbox unchecked**: After successful rebase, the checkbox is automatically unchecked\n\n### Rebase Command\n\nYou can also trigger rebase manually using the CLI:\n\n```bash\n# Check for PRs with rebase checkbox enabled and update them\nbuddy-bot update-check\n\n# Dry run to see what would be rebased\nbuddy-bot update-check --dry-run\n\n# With verbose output\nbuddy-bot update-check --verbose\n```\n\n### Automated Rebase Workflow\n\nBuddy Bot includes a pre-built GitHub Actions workflow (`.github/workflows/buddy-check.yml`) that:\n\n- **🕐 Runs every minute**: Automatically checks for rebase requests\n- **🔍 Scans all PRs**: Finds Buddy Bot PRs with checked rebase boxes\n- **📦 Updates dependencies**: Re-scans for latest versions and updates files\n- **📝 Updates PR content**: Refreshes PR title, body, and file changes\n- **✅ Maintains workflow files**: Updates GitHub Actions workflows (requires proper permissions)\n\n### Workflow File Permissions\n\nFor the rebase functionality to update GitHub Actions workflow files, you need proper permissions:\n\n#### Option 1: Personal Access Token (Recommended)\n\n1. Create a [Personal Access Token](https://github.com/settings/tokens) with `repo` and `workflow` scopes\n2. Add it as a repository secret named `BUDDY_BOT_TOKEN`\n3. The workflow automatically uses it when available\n\n#### Option 2: Default GitHub Token (Limited)\n\n- Uses `GITHUB_TOKEN` with limited permissions\n- Cannot update workflow files (`.github/workflows/*.yml`)\n- Still updates package.json, lock files, and dependency files\n\n### What Gets Updated During Rebase\n\n- ✅ **package.json** - npm/yarn/pnpm dependencies\n- ✅ **Lock files** - package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lockb\n- ✅ **Dependency files** - deps.yaml, dependencies.yaml, pkgx.yaml\n- ✅ **Zig manifests** - build.zig.zon with URL and hash updates\n- ✅ **GitHub Actions** - workflow files (with proper permissions)\n- ✅ **PR content** - Updated title, body, and metadata\n\n### Quick Start\n\n```bash\n# Create basic dashboard\nbuddy-bot dashboard\n\n# Create dashboard with custom title\nbuddy-bot dashboard --title \"My Dependencies\"\n```\n\n### Automated Dashboard Updates\n\nBuddy Bot includes a pre-built GitHub workflow (`.github/workflows/buddy-dashboard.yml`) that automatically updates your dependency dashboard:\n\n- **📅 Scheduled**: Runs Monday, Wednesday, Friday at 9 AM UTC\n- **🖱️ Manual**: Trigger from Actions tab with custom options\n- **📌 Auto-Pin**: Keeps dashboard pinned by default\n- **🔍 Dry-Run**: Preview mode available\n\n### Example Dashboard Output\n\nThe dashboard automatically organizes your dependencies and shows:\n\n```markdown\n## Open\n\nThe following updates have all been created. To force a retry/rebase of any, click on a checkbox below.\n\n - [ ] \u003c!-- rebase-branch=buddy-bot/update-react-18 --\u003e[chore(deps): update react to v18](../pull/123) (`react`)\n - [ ] \u003c!-- rebase-branch=buddy-bot/update-types --\u003e[chore(deps): update @types/node](../pull/124) (`@types/node`)\n\n## Detected dependencies\n\n\u003cdetails\u003e\u003csummary\u003enpm\u003c/summary\u003e\n\u003cblockquote\u003e\n\n\u003cdetails\u003e\u003csummary\u003epackage.json\u003c/summary\u003e\n\n - `react ^17.0.0`\n - `typescript ^4.9.0`\n - `@types/node ^18.0.0`\n\n\u003c/details\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003egithub-actions\u003c/summary\u003e\n\u003cblockquote\u003e\n\n\u003cdetails\u003e\u003csummary\u003e.github/workflows/ci.yml\u003c/summary\u003e\n\n - `actions/checkout v3`\n - `oven-sh/setup-bun v1`\n\n\u003c/details\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n```\n\n## How It Works\n\nBuddy Bot's intelligent workflow delivers unmatched speed and accuracy:\n\n1. **⚡ Lightning-Fast Scanning**: Leverages `bun outdated` and parallel API calls for instant dependency analysis\n2. **🔍 Universal Detection**: Automatically discovers and parses all dependency files across your entire project\n3. **🧠 Smart Analysis**: Evaluates security implications, breaking changes, and compatibility before suggesting updates\n4. **🎯 Intelligent Grouping**: Automatically clusters related packages to create focused, logical pull requests\n5. **📊 Rich Context**: Fetches comprehensive metadata including adoption rates, confidence scores, and detailed changelogs\n6. **✨ Professional PRs**: Generates beautifully formatted pull requests with actionable insights and clear upgrade paths\n\n### Supported Dependency Files\n\nBuddy automatically detects and updates the following dependency file formats:\n\n#### Package Dependencies\n\n- **package.json** - Traditional npm dependencies\n- **composer.json** - PHP dependencies from Packagist\n- **composer.lock** - PHP lock file with exact versions\n- **build.zig.zon** - Zig package manager dependencies with URL and hash tracking\n- **deps.yaml** / **deps.yml** - Launchpad/pkgx dependency declarations\n- **dependencies.yaml** / **dependencies.yml** - Alternative dependency file format\n- **pkgx.yaml** / **pkgx.yml** - pkgx-specific dependency files\n- **.deps.yaml** / **.deps.yml** - Hidden dependency configuration files\n\n#### GitHub Actions\n\n- **.github/workflows/*.yml** - GitHub Actions workflow files\n- **.github/workflows/*.yaml** - Alternative YAML extension\n\nAll dependency files are parsed using the `ts-pkgx` library to ensure compatibility with the pkgx registry ecosystem while maintaining support for tools like Launchpad that reuse the same registry format. GitHub Actions are detected by parsing `uses:` statements in workflow files and checking for updates via the GitHub releases API.\n\n### Pull Request Format\n\nBuddy generates comprehensive pull requests with **separate dependency tables** for each ecosystem:\n\n#### 1. npm Dependencies\n\nFull table with confidence badges, age, adoption metrics, and weekly download statistics:\n\n```\n| Package | Change | Age | Adoption | Passing | Confidence |\n|---------|--------|-----|----------|---------|------------|\n| lodash  | ^4.17.20 → ^4.17.21 | 📅 | 📈 | ✅ | 🔒 |\n```\n\n#### 2. PHP/Composer Dependencies\n\nFocused table for PHP packages from Packagist:\n\n```\n| Package | Change | File | Status |\n|---------|--------|------|--------|\n| laravel/framework | ^10.0.0 → ^10.16.0 | composer.json | ✅ Available |\n| phpunit/phpunit | ^10.0.0 → ^10.3.0 | composer.json | ✅ Available |\n```\n\n#### 3. Zig Dependencies\n\nFocused table for Zig packages with repository links and update types:\n\n```\n| Package | Change | Type | File |\n|---------|--------|------|------|\n| httpz | 0.5.0 → 0.6.0 | 🟡 minor | build.zig.zon |\n```\n\n#### 4. Launchpad/pkgx Dependencies\n\nSimplified table focusing on package updates and file locations:\n\n```\n| Package | Change | File | Status |\n|---------|--------|------|--------|\n| bun.com | ^1.2.16 → ^1.2.19 | deps.yaml | ✅ Available |\n```\n\n#### 5. GitHub Actions\n\nWorkflow automation updates with direct links to repositories:\n\n```\n| Action | Change | File | Status |\n|--------|--------|------|--------|\n| actions/checkout | v4 → v4.2.2 | ci.yml | ✅ Available |\n| oven-sh/setup-bun | v2 → v2.0.2 | release.yml | ✅ Available |\n```\n\nEach table is followed by detailed release notes, changelogs, and package statistics tailored to the dependency type.\n\n## Update Strategies\n\n- **`all`**: Update all dependencies regardless of semver impact\n- **`major`**: Only major version updates\n- **`minor`**: Major and minor updates (no patch-only)\n- **`patch`**: All updates (major, minor, and patch)\n\n## Auto-Merge Configuration\n\nBuddy supports configurable auto-merge for pull requests to reduce manual overhead:\n\n```typescript\nconst config: BuddyBotConfig = {\n  pullRequest: {\n    autoMerge: {\n      enabled: true,\n      strategy: 'squash', // 'merge', 'squash', or 'rebase'\n      conditions: ['patch-only'] // Optional: restrict to specific update types\n    }\n  }\n}\n```\n\n### Auto-Merge Strategies\n\n- **`squash`**: Squash commits and merge _(recommended for clean history)_\n- **`merge`**: Create a merge commit _(preserves individual commits)_\n- **`rebase`**: Rebase and merge _(linear history without merge commits)_\n\n### Auto-Merge Conditions\n\n- **`patch-only`**: Only auto-merge patch version updates _(safest)_\n- **No conditions**: Auto-merge all updates _(use with caution)_\n\n### Workflow-Specific Auto-Merge\n\nEach preset configures auto-merge appropriately:\n\n- **High Frequency Updates**: Auto-merge patch updates only _(6AM, 12PM, 6PM)_, manual review for minor updates _(12AM)_\n- **Security Focused**: Auto-merge security patches every 6 hours\n- **Standard Project**: Auto-merge daily patches, manual review for weekly/monthly updates\n- **Development/Testing**: No auto-merge, dry-run by default, enhanced testing features.\n\n## Development \u0026 Testing\n\nThe **Development/Testing** preset is specifically designed for testing and development environments:\n\n### Features\n\n- **⏰ Every 5 minutes**: Automated runs for rapid testing cycles\n- **🖱️ Manual triggers**: Full control via GitHub Actions UI\n- **🔍 Dry run by default**: Safe testing without making changes\n- **📝 Verbose logging**: Detailed output for debugging\n- **📦 Package-specific testing**: Test updates for specific packages\n- **📊 Enhanced summaries**: Detailed test reports with context\n\n### Manual Trigger Options\n\nWhen running manually, you can customize:\n\n- **Update strategy**: Choose patch, minor, major, or all updates\n- **Dry run mode**: Preview changes without applying them\n- **Specific packages**: Test updates for particular packages only\n- **Verbose logging**: Control output detail level\n\n### Perfect For\n\n- 🧪 Testing new configurations\n- 🔧 Debugging dependency issues\n- 📈 Monitoring update frequency\n- 🚀 Validating workflow changes\n- 📋 Learning how Buddy Bot works\n\n## Package Grouping\n\nGroup related packages to create cleaner, more focused pull requests:\n\n```typescript\n{\n  groups: [\n    {\n      name: 'React Ecosystem',\n      patterns: ['react*', '@types/react*'],\n      strategy: 'minor'\n    },\n    {\n      name: 'Development Tools',\n      patterns: ['eslint*', 'prettier*', '@typescript-eslint/*'],\n      strategy: 'patch'\n    }\n  ]\n}\n```\n\n## Example Output\n\nWhen Buddy finds updates, it creates PRs like:\n\n```\nchore(deps): update all non-major dependencies\n\nThis PR contains the following updates:\n\n| Package | Change | Age | Adoption | Passing | Confidence |\n|---|---|---|---|---|---|\n| [typescript](https://www.typescriptlang.org/) | `^5.8.2` -\u003e `^5.8.3` | [![age](https://developer.mend.io/api/mc/badges/age/npm/typescript/5.8.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/typescript/5.8.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/typescript/5.8.2/5.8.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/typescript/5.8.2/5.8.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) |\n\n---\n\n### Release Notes\n\n\u003cdetails\u003e\n\u003csummary\u003emicrosoft/TypeScript (typescript)\u003c/summary\u003e\n\n### [`v5.8.3`](https://github.com/microsoft/TypeScript/releases/tag/v5.8.3)\n\n[Compare Source](https://github.com/microsoft/TypeScript/compare/v5.8.2...v5.8.3)\n\n##### Bug Fixes\n- Fix issue with module resolution\n- Improve error messages\n\n\u003c/details\u003e\n\n---\n\n### Configuration\n\n📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).\n\n🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.\n\n♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.\n\n🔕 **Ignore**: Close this PR and you won't be reminded about this update again.\n\n---\n\n - [ ] \u003c!-- rebase-check --\u003eIf you want to update/retry this PR, check this box\n\n---\n\nThis PR was generated by [Buddy](https://github.com/stacksjs/buddy-bot).\n```\n\n## Why Choose Buddy Bot?\n\n| Feature | Buddy Bot | Dependabot | Renovate |\n|---------|-----------|------------|----------|\n| **Performance** | ⚡ Lightning fast (Bun-native) | 🐌 | 🐌 |\n| **Package Ecosystem** | 🌟 Universal (8+ managers) | 📦 Limited scope | 📦 Limited scope |\n| **Setup Experience** | 🎯 Interactive + Zero config | ✅ Simple | ❌ Complex configuration |\n| **Docker Support** | ✅ Full Dockerfile updates | ❌ No support | ✅ Basic support |\n| **Configuration** | 🔧 TypeScript + multiple formats | 📝 YAML only | 📝 JSON/JS only |\n| **Package Grouping** | 🎨 Intelligent + flexible | 📋 Basic grouping | 🔧 Advanced but complex |\n| **Dashboard** | 📊 Rich interactive dashboard | ❌ No dashboard | 📊 Basic dashboard |\n| **Migration Tools** | 🔄 Automated import | ❌ Manual migration | ❌ Manual migration |\n| **Self-hosting** | ✅ Full control | ❌ GitHub-only | ✅ Complex setup |\n| **Plugin System** | 🔌 Extensible ecosystem | ❌ Limited | 🔌 Advanced but complex |\n\n## CI/CD Integration\n\n### GitHub Actions\n\nBuddy includes powerful GitHub Actions workflow templates for different automation strategies:\n\n```yaml\n# Basic dependency updates (generated by setup)\nname: Buddy Update\non:\n  schedule:\n    - cron: '0 */2 * * *' # Every 2 hours\n  workflow_dispatch:\n    inputs:\n      strategy:\n        description: Update strategy\n        required: false\n        default: patch\n      dry_run:\n        description: Dry run (preview only)\n        required: false\n        default: true\n        type: boolean\njobs:\n  dependency-update:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: oven-sh/setup-bun@v2\n      - run: bun install\n      - run: bunx buddy-bot scan --strategy ${{ github.event.inputs.strategy || 'patch' }} --verbose\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n      - if: ${{ github.event.inputs.dry_run != 'true' }}\n        run: bunx buddy-bot update --strategy ${{ github.event.inputs.strategy || 'patch' }} --verbose\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n```\n\n**🚀 Generate Advanced Workflows:**\n\n```bash\n# Generate comprehensive GitHub Actions workflows\nbuddy generate-workflows\n\n# This creates:\n# - buddy-comprehensive.yml (multi-strategy scheduling)\n# - dependency-updates-daily.yml (patch updates)\n# - dependency-updates-weekly.yml (minor updates)\n# - dependency-updates-monthly.yml (major updates)\n# - buddy-monorepo.yml (monorepo support)\n# - buddy-docker.yml (Docker-based)\n```\n\n**🔥 Comprehensive Multi-Strategy Workflow:**\n\nThe updated workflow system automatically:\n\n- **Every 2 hours**: All configured strategies with dry-run by default\n- **Manual trigger**: Any strategy with configurable dry-run option\n- **Enhanced testing**: Comprehensive validation and summaries\n- **Failure handling**: Auto-creates GitHub issues\n- **Smart summaries**: Rich GitHub Actions summaries\n- **Flexible scheduling**: Consistent 2-hour intervals for all presets\n\n### GitHub Actions Permissions Setup\n\n⚠️ **Important**: For Buddy to create pull requests in GitHub Actions workflows, you need to enable the proper permissions:\n\n#### Repository Settings\n\n1. Go to your repository **Settings** → **Actions** → **General**\n2. Under **\"Workflow permissions\"**, select **\"Read and write permissions\"**\n3. ✅ Check **\"Allow GitHub Actions to create and approve pull requests\"**\n4. Click **\"Save\"**\n\n#### Organization Settings (if applicable)\n\nIf your repository is part of an organization, you may also need to enable organization-level permissions:\n\n1. Go to your organization **Settings** → **Actions** → **General**\n2. Configure the same permissions as above\n\n#### Quick Setup Command\n\n```bash\n# Open GitHub settings pages directly\nbuddy open-settings\n\n# Or manually visit:\n# Repository: https://github.com/YOUR_ORG/YOUR_REPO/settings/actions\n# Organization: https://github.com/organizations/YOUR_ORG/settings/actions\n```\n\n#### Troubleshooting\n\nIf you see errors like:\n\n- `GitHub Actions is not permitted to create or approve pull requests`\n- `GraphQL: GitHub Actions is not permitted to create or approve pull requests (createPullRequest)`\n\nThis indicates the permissions above need to be enabled. Both GitHub CLI and REST API methods require these permissions to create PRs from workflows.\n\nFor more details, see the [GitHub documentation on managing GitHub Actions settings](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests).\n\n## Testing\n\n```bash\nbun test\n```\n\n## Build From Source\n\n```bash\nbun run build\n```\n\n## Changelog\n\nPlease see our [releases](https://github.com/stacksjs/stacks/releases) page for more information on what has changed recently.\n\n## Contributing\n\nPlease see the [Contributing Guide](https://github.com/stacksjs/contributing) for details.\n\n## Community\n\nFor help, discussion about best practices, or any other conversation that would benefit from being searchable:\n\n[Discussions on GitHub](https://github.com/stacksjs/stacks/discussions)\n\nFor casual chit-chat with others using this package:\n\n[Join the Stacks Discord Server](https://discord.gg/stacksjs)\n\n## Postcardware\n\n“Software that is free, but hopes for a postcard.” We love receiving postcards from around the world showing where Stacks is being used! We showcase them on our website too.\n\nOur address: Stacks.js, 12665 Village Ln #2306, Playa Vista, CA 90094, United States 🌎\n\n## Sponsors\n\nWe would like to extend our thanks to the following sponsors for funding Stacks development. If you are interested in becoming a sponsor, please reach out to us.\n\n- [JetBrains](https://www.jetbrains.com/)\n- [The Solana Foundation](https://solana.com/)\n\n## Credits\n\n- [Renovatebot](https://renovatebot.com/)\n- [Dependabot](https://dependabot.com/)\n- [Chris Breuer](https://github.com/chrisbbreuer)\n- [All Contributors](../../contributors)\n\nAnd a special thanks to [Dan Scanlon](https://twitter.com/danscan) for donating the `stacks` name on npm ✨\n\n## License\n\nThe MIT License (MIT). Please see [LICENSE](LICENSE.md) for more information.\n\nMade with 💙\n\n\u003c!-- Badges --\u003e\n[npm-version-src]: https://img.shields.io/npm/v/buddy-bot?style=flat-square\n[npm-version-href]: https://npmjs.com/package/buddy-bot\n[github-actions-src]: https://img.shields.io/github/actions/workflow/status/stacksjs/buddy/ci.yml?style=flat-square\u0026branch=main\n[github-actions-href]: https://github.com/stacksjs/buddy/actions?query=workflow%3Aci\n\n\u003c!-- [codecov-src]: https://img.shields.io/codecov/c/gh/stacksjs/buddy/main?style=flat-square\n[codecov-href]: https://codecov.io/gh/stacksjs/buddy --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacksjs%2Fbuddy-bot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstacksjs%2Fbuddy-bot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacksjs%2Fbuddy-bot/lists"}