feat: tier-gated Dependabot auto-merge pipeline + stale PR handler#186
feat: tier-gated Dependabot auto-merge pipeline + stale PR handler#186labgadget015-dotcom with Copilot wants to merge 7 commits into
Conversation
🤖 DRC Agent AnalysisRecommendation: 🔴 P0 CRITICAL Summary: Unified Dependabot Auto-Merge Workflow (Solution 1) as recommended by REALIST, with Solution 2 OSV enrichment as future enhancement layer Next steps:
Strategic fit: Consulting: high · Product: high · Tech debt: reduces Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
🤖 DRC Agent AnalysisRecommendation: 🟠 P1 IMPORTANT Summary: Intelligent Tier-Gate Pipeline with Claude-Assisted Risk Scoring (Dreamer ID 3, Realist recommended) Next steps:
Strategic fit: Consulting: high · Product: high · Tech debt: reduces Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
…eview, stale handler)
🤖 DRC Agent AnalysisRecommendation: 🟠 P1 IMPORTANT Summary: n8n Orchestrated Dependency Review Pipeline with Claude Changelog Summarization (Dreamer ID 2) Next steps:
Strategic fit: Consulting: high · Product: high · Tech debt: neutral Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
…pt, tighten exception handling
🤖 DRC Agent AnalysisRecommendation: 🔴 P0 CRITICAL Summary: Realist recommended Solution 1: Merge & Harden Current WIP Next steps:
Strategic fit: Consulting: high · Product: medium · Tech debt: reduces Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
📊 Code Complexity AnalysisSummary:
|
| File | Function | Complexity | Line |
|---|---|---|---|
core/risk_scorer.py |
score_pull_request |
35 | 141 |
autopilot/autopilot.py |
generate_summary |
24 | 195 |
autopilot/staleness_engine.py |
process_stale_prs |
16 | 281 |
autopilot/ai_optimization/performance_monitor.py |
get_benchmark_stats |
15 | 184 |
.github/scripts/weekly_digest.py |
build_blocks |
15 | 38 |
.github/scripts/batch_scan_dependabot.py |
main |
15 | 56 |
.github/scripts/metrics_collector.py |
parse_workflow_metrics |
14 | 148 |
.github/scripts/setup_branch_protection.py |
main |
14 | 240 |
.github/scripts/self_healing_system.py |
analyze_failure_patterns |
14 | 256 |
.github/scripts/ai_code_suggestor.py |
_check_import_organization |
14 | 113 |
... and 18 more
Recommendations:
- Break down large functions into smaller, focused units
- Extract complex conditional logic into separate functions
- Use early returns to reduce nesting
🔧 Low Maintainability Files
These files have low maintainability scores and may need refactoring:
| File | Score | Status |
|---|---|---|
.github/scripts/health_dashboard_generator.py |
28.14 | 🔴 |
.github/scripts/workflow_monitor.py |
33.73 | 🔴 |
.github/scripts/ai_code_suggestor.py |
33.76 | 🔴 |
.github/scripts/ai_workflow_optimizer.py |
35.51 | 🔴 |
.github/scripts/performance_benchmark.py |
39.46 | 🔴 |
.github/scripts/self_healing_system.py |
40.27 | 🔴 |
.github/scripts/threshold_monitor.py |
41.13 | 🔴 |
.github/scripts/parallel_code_analyzer_optimized.py |
41.16 | 🔴 |
autopilot/autopilot.py |
42.45 | 🔴 |
autopilot/ai_optimization/anomaly_detector.py |
42.56 | 🔴 |
agents/triage_agent.py |
42.79 | 🔴 |
.github/scripts/refactoring_assistant.py |
43.03 | 🔴 |
autopilot/ai_optimization/intelligent_cache.py |
43.28 | 🔴 |
autopilot/ai_optimization/commit_summarizer.py |
44.05 | 🔴 |
.github/scripts/async_parallel_analyzer.py |
44.47 | 🔴 |
autopilot/ai_optimization/performance_monitor.py |
44.69 | 🔴 |
.github/scripts/badge_generator.py |
45.28 | 🔴 |
.github/scripts/copilot_integration.py |
45.37 | 🔴 |
.github/scripts/distributed_monitoring.py |
45.53 | 🔴 |
.github/scripts/elite_copilot.py |
45.69 | 🔴 |
agents/dependency_agent.py |
45.76 | 🔴 |
.github/scripts/issue_auto_creator.py |
46.39 | 🔴 |
.github/scripts/cost_calculator.py |
46.4 | 🔴 |
.github/scripts/inline_pr_commenter.py |
46.63 | 🔴 |
.github/scripts/complexity_reporter.py |
46.78 | 🔴 |
.github/scripts/pr_triage.py |
47.13 | 🔴 |
core/risk_scorer.py |
48.15 | 🔴 |
autopilot/ai_optimization/nlp_relevance_filter.py |
48.43 | 🔴 |
.github/scripts/pr_inline_commenter.py |
48.47 | 🔴 |
autopilot/staleness_engine.py |
48.73 | 🔴 |
.github/scripts/metrics_collector.py |
48.91 | 🔴 |
.github/scripts/dependency_updater.py |
48.91 | 🔴 |
autopilot/ai_optimization/ml_priority_scorer.py |
49.53 | 🔴 |
.github/scripts/changelog_generator.py |
49.75 | 🔴 |
.github/scripts/parallel_code_analyzer.py |
49.96 | 🔴 |
autopilot/ai_optimization/api_optimizer.py |
50.46 | 🟡 |
agents/security_scan_agent.py |
51.04 | 🟡 |
.github/scripts/workflow_optimizer.py |
51.67 | 🟡 |
.github/scripts/cot_selector.py |
51.73 | 🟡 |
.github/scripts/release_manager.py |
51.92 | 🟡 |
.github/scripts/llm_router.py |
52.35 | 🟡 |
.github/scripts/auto_pr.py |
52.72 | 🟡 |
.github/scripts/notification_manager.py |
53.58 | 🟡 |
.github/scripts/prometheus_exporter.py |
54.96 | 🟡 |
.github/scripts/weekly_digest.py |
55.02 | 🟡 |
core/audit_logger.py |
55.6 | 🟡 |
.github/scripts/gather_context.py |
56.0 | 🟡 |
core/llm_provider.py |
56.32 | 🟡 |
.github/scripts/streaming_results.py |
56.64 | 🟡 |
.github/scripts/setup_branch_protection.py |
57.0 | 🟡 |
.github/scripts/batch_scan_dependabot.py |
57.23 | 🟡 |
.github/scripts/optimized_github_client.py |
58.27 | 🟡 |
agents/orchestrator_agent.py |
59.02 | 🟡 |
agents/code_review_agent.py |
60.45 | 🟡 |
core/github_client.py |
61.96 | 🟡 |
core/message_queue.py |
63.22 | 🟡 |
core/agent_config.py |
63.86 | 🟡 |
core/idempotency.py |
64.45 | 🟡 |
Maintainability Index Guide:
- 🟢 85-100: Excellent maintainability
- 🟡 65-84: Good maintainability
- 🟠 50-64: Moderate maintainability (consider refactoring)
- 🔴 0-49: Poor maintainability (needs refactoring)
🔴 Risk Assessment: HIGH (6.5/10)Analysed 6 files, 893+ / 0− lines. Security-sensitive paths detected. Test coverage unchanged or improved. Scoring breakdown
|
🔍 Pre-commit Checks🔧 Pre-commit issues were automatically fixed and committed. Please pull the latest changes before pushing again: git pull origin copilot/bump-pip-group-dependenciesPre-commit hooks help maintain code quality and consistency. |
🤖 Elite AI Copilot AnalysisElite AI Copilot Analysis ReportGenerated: 2026-07-04 06:59:28 🎯 Health Score: 100.0/100🚀 Top Recommendations
📊 Detailed InsightsCode Quality Baseline Established
Security Scan Initiated
Repository Structure Analyzed
Performance Baseline Captured
Documentation Structure Good
Powered by Elite AI Copilot v1.0 |
Code Quality Analysis ❌ FAILEDDuration: 0.01s Tool Results
View detailed results{
"timestamp": "2026-07-04 06:59:34",
"elapsed_seconds": 0.01,
"summary": {
"total_issues": 10,
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
},
"tools": {
"pylint": {
"status": "failed",
"output": "",
"errors": "Pylint error: [Errno 2] No such file or directory: 'pylint'"
},
"flake8": {
"status": "failed",
"output": "",
"errors": "Flake8 error: [Errno 2] No such file or directory: 'flake8'"
},
"bandit": {
"status": "failed",
"output": "",
"errors": "Bandit error: [Errno 2] No such file or directory: 'bandit'"
},
"radon_cc": {
"status": "failed",
"output": "",
"errors": "Radon error: [Errno 2] No such file or directory: 'radon'"
},
"radon_mi": {
"status": "failed",
"output": "",
"errors": "Radon MI error: [Errno 2] No such file or directory: 'radon'"
}
},
"passed": false
} |
🔒 Security Scan Results🛡️ Bandit Security Scan
📦 Dependency Vulnerabilities
Vulnerable Dependencies:
Security scans run automatically on every PR. View detailed reports in the Actions tab. |
🤖 DRC Agent AnalysisRecommendation: 🟠 P1 IMPORTANT Summary: Claude-Powered Changelog Summarizer + Review Drafter (Dreamer ID 2, Realist recommended_solution 2) Next steps:
Strategic fit: Consulting: high · Product: high · Tech debt: neutral Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
🔒 Security Scan Results🛡️ Bandit Security Scan
📦 Dependency Vulnerabilities
Vulnerable Dependencies:
Security scans run automatically on every PR. View detailed reports in the Actions tab. |
There was a problem hiding this comment.
Pull request overview
Implements automation to reduce Dependabot PR backlog by tier-classifying dependency updates for auto-merge vs. human review, and adds a scheduled stale PR cleanup workflow.
Changes:
- Add a
pull_request_targetDependabot auto-merge workflow with tier classification, auto-merge for Tier 1, and labeling/commenting for Tier 2. - Add Python scripts + exception list to classify Dependabot PRs and batch-scan open Dependabot PRs.
- Add unit tests for the tier classifier and a scheduled stale PR handler workflow.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
tests/unit/test_tier_classifier.py |
Adds unit tests for tier classification logic. |
.github/workflows/stale-pr-handler.yml |
Adds daily stale PR warning/closure automation. |
.github/workflows/dependabot-automerge.yml |
Adds tier-gated Dependabot auto-merge + review routing workflow. |
.github/scripts/tier_classifier.py |
Implements tier classification + blocklist matching and outputs for workflows. |
.github/scripts/batch_scan_dependabot.py |
Implements workflow-dispatch batch scan summary for open Dependabot PRs. |
.github/dependabot-exceptions.yml |
Adds per-ecosystem exception list for packages that always require human review. |
| return { | ||
| k: [str(v).lower() for v in vs] | ||
| for k, vs in data.items() | ||
| if isinstance(vs, list) | ||
| } |
| update_type = os.environ.get("UPDATE_TYPE", "") | ||
| dependency_names_raw = os.environ.get("DEPENDENCY_NAMES", "") | ||
| ecosystem = os.environ.get("PACKAGE_ECOSYSTEM", "pip") | ||
| exceptions_file = os.environ.get( | ||
| "EXCEPTIONS_FILE", ".github/dependabot-exceptions.yml" | ||
| ) | ||
| dry_run = os.environ.get("DRY_RUN", "true").lower() == "true" |
| import os | ||
| import sys | ||
| from pathlib import Path | ||
|
|
||
| import pytest | ||
|
|
||
| # Add scripts directory to path | ||
| _scripts_path = str(Path(__file__).parent.parent.parent / ".github" / "scripts") | ||
| if _scripts_path not in sys.path: | ||
| sys.path.insert(0, _scripts_path) | ||
|
|
||
| import importlib | ||
| import types |
| workflow_dispatch: | ||
| inputs: | ||
| pr_number: | ||
| description: "PR number to evaluate (leave blank to scan all open Dependabot PRs)" | ||
| required: false | ||
| type: string |
| def _load_blocklist_pip(exceptions_file: str) -> list[str]: | ||
| p = Path(exceptions_file) | ||
| if not p.exists(): | ||
| return [] | ||
| with open(p, encoding="utf-8") as f: | ||
| data = yaml.safe_load(f) or {} | ||
| return [str(v).lower() for v in data.get("pip", [])] | ||
|
|
| old_major = re.match(r"(\d+)", m.group(1)) | ||
| new_major = re.match(r"(\d+)", m.group(2)) | ||
| if old_major and new_major and old_major.group(1) != new_major.group(1): | ||
| return "major" | ||
| old_minor = re.match(r"\d+\.(\d+)", m.group(1)) | ||
| new_minor = re.match(r"\d+\.(\d+)", m.group(2)) | ||
| if old_minor and new_minor and old_minor.group(1) != new_minor.group(1): | ||
| return "minor" |
🤖 DRC Agent AnalysisRecommendation: 🔴 P0 CRITICAL Summary: Baseline Static Tier Gate (Ship It Now) - Dreamer ID 1, as recommended by REALIST Next steps:
Strategic fit: Consulting: high · Product: high · Tech debt: reduces Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
🤖 DRC Agent AnalysisRecommendation: 🔴 P0 CRITICAL Summary: Hardened Static Tier Classifier (Minimal Viable Pipeline) - Solution 1 as recommended by REALIST Next steps:
Strategic fit: Consulting: high · Product: high · Tech debt: reduces Analysed by GadgetLab DRC Agent (Dreamer → Realist → Critic) · Run |
📊 Code Complexity AnalysisSummary:
|
| File | Function | Complexity | Line |
|---|---|---|---|
core/risk_scorer.py |
score_pull_request |
35 | 141 |
autopilot/autopilot.py |
generate_summary |
24 | 195 |
autopilot/staleness_engine.py |
process_stale_prs |
16 | 281 |
autopilot/ai_optimization/performance_monitor.py |
get_benchmark_stats |
15 | 184 |
.github/scripts/weekly_digest.py |
build_blocks |
15 | 38 |
.github/scripts/batch_scan_dependabot.py |
main |
15 | 64 |
.github/scripts/metrics_collector.py |
parse_workflow_metrics |
14 | 148 |
.github/scripts/setup_branch_protection.py |
main |
14 | 240 |
.github/scripts/self_healing_system.py |
analyze_failure_patterns |
14 | 256 |
.github/scripts/ai_code_suggestor.py |
_check_import_organization |
14 | 113 |
... and 18 more
Recommendations:
- Break down large functions into smaller, focused units
- Extract complex conditional logic into separate functions
- Use early returns to reduce nesting
🔧 Low Maintainability Files
These files have low maintainability scores and may need refactoring:
| File | Score | Status |
|---|---|---|
.github/scripts/health_dashboard_generator.py |
28.14 | 🔴 |
.github/scripts/workflow_monitor.py |
33.73 | 🔴 |
.github/scripts/ai_code_suggestor.py |
33.76 | 🔴 |
.github/scripts/ai_workflow_optimizer.py |
35.51 | 🔴 |
.github/scripts/performance_benchmark.py |
39.46 | 🔴 |
.github/scripts/self_healing_system.py |
40.27 | 🔴 |
.github/scripts/threshold_monitor.py |
41.13 | 🔴 |
.github/scripts/parallel_code_analyzer_optimized.py |
41.16 | 🔴 |
autopilot/autopilot.py |
42.45 | 🔴 |
autopilot/ai_optimization/anomaly_detector.py |
42.56 | 🔴 |
agents/triage_agent.py |
42.79 | 🔴 |
.github/scripts/refactoring_assistant.py |
43.03 | 🔴 |
autopilot/ai_optimization/intelligent_cache.py |
43.28 | 🔴 |
autopilot/ai_optimization/commit_summarizer.py |
44.05 | 🔴 |
.github/scripts/async_parallel_analyzer.py |
44.47 | 🔴 |
autopilot/ai_optimization/performance_monitor.py |
44.69 | 🔴 |
.github/scripts/badge_generator.py |
45.28 | 🔴 |
.github/scripts/copilot_integration.py |
45.37 | 🔴 |
.github/scripts/distributed_monitoring.py |
45.53 | 🔴 |
.github/scripts/elite_copilot.py |
45.69 | 🔴 |
agents/dependency_agent.py |
45.76 | 🔴 |
.github/scripts/issue_auto_creator.py |
46.39 | 🔴 |
.github/scripts/cost_calculator.py |
46.4 | 🔴 |
.github/scripts/inline_pr_commenter.py |
46.63 | 🔴 |
.github/scripts/complexity_reporter.py |
46.78 | 🔴 |
.github/scripts/pr_triage.py |
47.13 | 🔴 |
core/risk_scorer.py |
48.15 | 🔴 |
autopilot/ai_optimization/nlp_relevance_filter.py |
48.43 | 🔴 |
.github/scripts/pr_inline_commenter.py |
48.47 | 🔴 |
autopilot/staleness_engine.py |
48.73 | 🔴 |
.github/scripts/metrics_collector.py |
48.91 | 🔴 |
.github/scripts/dependency_updater.py |
48.91 | 🔴 |
autopilot/ai_optimization/ml_priority_scorer.py |
49.53 | 🔴 |
.github/scripts/changelog_generator.py |
49.75 | 🔴 |
.github/scripts/parallel_code_analyzer.py |
49.96 | 🔴 |
autopilot/ai_optimization/api_optimizer.py |
50.46 | 🟡 |
agents/security_scan_agent.py |
51.04 | 🟡 |
.github/scripts/workflow_optimizer.py |
51.67 | 🟡 |
.github/scripts/cot_selector.py |
51.73 | 🟡 |
.github/scripts/release_manager.py |
51.92 | 🟡 |
.github/scripts/llm_router.py |
52.35 | 🟡 |
.github/scripts/auto_pr.py |
52.72 | 🟡 |
.github/scripts/notification_manager.py |
53.58 | 🟡 |
.github/scripts/prometheus_exporter.py |
54.96 | 🟡 |
.github/scripts/weekly_digest.py |
55.02 | 🟡 |
core/audit_logger.py |
55.6 | 🟡 |
.github/scripts/gather_context.py |
56.0 | 🟡 |
.github/scripts/batch_scan_dependabot.py |
56.3 | 🟡 |
core/llm_provider.py |
56.32 | 🟡 |
.github/scripts/streaming_results.py |
56.64 | 🟡 |
.github/scripts/setup_branch_protection.py |
57.0 | 🟡 |
.github/scripts/optimized_github_client.py |
58.27 | 🟡 |
agents/orchestrator_agent.py |
59.02 | 🟡 |
agents/code_review_agent.py |
60.45 | 🟡 |
core/github_client.py |
61.96 | 🟡 |
core/message_queue.py |
63.22 | 🟡 |
core/agent_config.py |
63.86 | 🟡 |
core/idempotency.py |
64.45 | 🟡 |
Maintainability Index Guide:
- 🟢 85-100: Excellent maintainability
- 🟡 65-84: Good maintainability
- 🟠 50-64: Moderate maintainability (consider refactoring)
- 🔴 0-49: Poor maintainability (needs refactoring)
🔴 Risk Assessment: HIGH (6.5/10)Analysed 6 files, 930+ / 0− lines. Security-sensitive paths detected. Test coverage unchanged or improved. Scoring breakdown
|
🔍 Pre-commit Checks🔧 Pre-commit issues were automatically fixed and committed. Please pull the latest changes before pushing again: git pull origin copilot/bump-pip-group-dependenciesPre-commit hooks help maintain code quality and consistency. |
🤖 Elite AI Copilot AnalysisElite AI Copilot Analysis ReportGenerated: 2026-07-04 10:07:39 🎯 Health Score: 100.0/100🚀 Top Recommendations
📊 Detailed InsightsCode Quality Baseline Established
Security Scan Initiated
Repository Structure Analyzed
Performance Baseline Captured
Documentation Structure Good
Powered by Elite AI Copilot v1.0 |
Code Quality Analysis ❌ FAILEDDuration: 0.02s Tool Results
View detailed results{
"timestamp": "2026-07-04 10:07:49",
"elapsed_seconds": 0.02,
"summary": {
"total_issues": 10,
"critical": 0,
"high": 0,
"medium": 0,
"low": 0
},
"tools": {
"pylint": {
"status": "failed",
"output": "",
"errors": "Pylint error: [Errno 2] No such file or directory: 'pylint'"
},
"flake8": {
"status": "failed",
"output": "",
"errors": "Flake8 error: [Errno 2] No such file or directory: 'flake8'"
},
"bandit": {
"status": "failed",
"output": "",
"errors": "Bandit error: [Errno 2] No such file or directory: 'bandit'"
},
"radon_cc": {
"status": "failed",
"output": "",
"errors": "Radon error: [Errno 2] No such file or directory: 'radon'"
},
"radon_mi": {
"status": "failed",
"output": "",
"errors": "Radon MI error: [Errno 2] No such file or directory: 'radon'"
}
},
"passed": false
} |
🔒 Security Scan Results🛡️ Bandit Security Scan
📦 Dependency Vulnerabilities
Vulnerable Dependencies:
Security scans run automatically on every PR. View detailed reports in the Actions tab. |
17 open Dependabot PRs across the org were accumulating with no automated path to merge. Implements a tier-classified auto-merge pipeline that squash-merges safe patch/minor bumps and routes major bumps and high-risk packages to human review.
New files
.github/dependabot-exceptions.yml— YAML blocklist for packages that always require human review regardless of semver bump size:stripe,cryptography,scipy,asyncpg,boto3, SQLAlchemy, Django, Flask, etc. Easy to extend without touching workflow code..github/scripts/tier_classifier.py— consumesdependabot/fetch-metadataoutputs via env vars; emitstier,merge_decision,reason,blocklisted_namestoGITHUB_OUTPUT..github/scripts/batch_scan_dependabot.py— standalone script forworkflow_dispatchbatch mode; prints a Markdown tier-classification table of all open Dependabot PRs..github/workflows/dependabot-automerge.yml—pull_request_targetworkflow with 5 jobs:guarddependabot[bot]classifyfetch-metadata+tier_classifier.pyauto-mergegh pr review --approve+gh pr merge --auto --squash --delete-branchneeds-reviewneeds-human-reviewlabel + structured review checklist commentbatch-scanworkflow_dispatchwithout PR number: runsbatch_scan_dependabot.pyConcurrency group on PR number prevents race conditions.
dry_run=truedefault onworkflow_dispatch; live merge is the default forpull_request_target..github/workflows/stale-pr-handler.yml— dailyactions/stalerun: warns at 30 days inactivity, closes at 37 days. Exemptsblocked,pinned,work-in-progresslabels and draft PRs.Tests
15 unit tests in
tests/unit/test_tier_classifier.pycover patch/minor/major classification, blocklist matching, multi-package PRs, and unknown update types.