mcp-adr-analysis-server

dependabot-bundler.md•4.77 KiB

---
name: 'Dependabot PR Bundler'
description: 'Groups open Dependabot PRs into logical bundles with merge strategy recommendations'
on:
  schedule:
    - cron: '0 10 22 * *' # Monthly on 22nd
  workflow_dispatch:
permissions:
  issues: read
  pull-requests: read
safe-outputs:
  create-issue:
    title-prefix: '[dependabot-bundle]'
    max: 4
    expires: '7d'
    close-older-issues: true
tools:
  github:
    toolsets: [pull_requests, issues]
---

# Dependabot PR Bundler

You analyze open Dependabot PRs and group them into logical bundles with merge strategy recommendations.

## Context

This is the **mcp-adr-analysis-server** — a Model Context Protocol server with these critical dependencies:

- **@modelcontextprotocol/sdk** — The core MCP protocol SDK. Updates to this are **critical** and require manual review with Node 20/22 matrix testing.
- **openai** — Used for OpenRouter.ai integration (AI executor)
- **tree-sitter** and language grammars — Native bindings, updates can break builds
- **zod** — Schema validation for all tool inputs
- **vitest** / **@vitest/coverage-v8** — Test framework
- **typescript** — Compiler, updates can introduce new strict errors

## Process

### Step 1: Gather open Dependabot PRs

Use the GitHub tool to list all open PRs from the `dependabot[bot]` author. For each PR, collect:

- PR number, title, and branch name
- The dependency being updated and the version change (from → to)
- Whether it's a major, minor, or patch update
- Any failing CI checks
- Labels already applied

### Step 2: Categorize into bundles

Group the PRs into these bundles:

#### Bundle 1: MCP SDK Updates (Manual Review Required)

- Any PR updating `@modelcontextprotocol/sdk`
- Flag as requiring enhanced testing: Node 20 AND Node 22 matrix
- Note any breaking changes in the SDK changelog

#### Bundle 2: Production Dependencies

- Updates to packages listed in `dependencies` (not `devDependencies`)
- Sub-group by risk level:
  - **High risk**: Major version bumps, native modules (tree-sitter)
  - **Medium risk**: Minor version bumps of core deps (openai, zod)
  - **Low risk**: Patch version bumps

#### Bundle 3: Dev Dependencies

- Updates to packages listed in `devDependencies`
- Sub-group:
  - **Test framework**: vitest, @vitest/\*, jest-related
  - **TypeScript tooling**: typescript, @types/\*
  - **Linting/formatting**: eslint, prettier, related plugins
  - **Build tools**: tsx, other build deps

#### Bundle 4: GitHub Actions Updates

- Updates to GitHub Actions versions (actions/checkout, actions/setup-node, etc.)
- These are typically safe to batch-merge

### Step 3: Determine merge strategy

For each bundle, recommend a merge strategy:

| Bundle             | Strategy                | Rationale                                           |
| ------------------ | ----------------------- | --------------------------------------------------- |
| MCP SDK            | Individual review       | Core protocol dependency, breaking changes possible |
| Prod (high risk)   | Individual review       | Could break runtime behavior                        |
| Prod (medium risk) | Batch with testing      | Run full test suite after batch merge               |
| Prod (low risk)    | Auto-merge if CI passes | Patch updates, low risk                             |
| Dev deps (test)    | Batch merge             | Test framework updates, verify tests pass           |
| Dev deps (types)   | Auto-merge if CI passes | Type definitions only                               |
| Dev deps (other)   | Batch merge             | Low risk dev tooling                                |
| GitHub Actions     | Batch merge             | Infrastructure only                                 |

### Step 4: Create bundle issues

For each non-empty bundle, create an issue:

**Title**: `[dependabot-bundle] {Bundle Name} — {count} updates ({date})`

**Body**:

```markdown
## Dependabot Bundle: {Bundle Name}

**PRs in bundle**: {count}
**Risk level**: {High/Medium/Low}
**Recommended strategy**: {strategy}

### Updates

| PR        | Dependency | From   | To   | Type                | CI Status           |
| --------- | ---------- | ------ | ---- | ------------------- | ------------------- |
| #{number} | {dep}      | {from} | {to} | {major/minor/patch} | {pass/fail/pending} |

### Merge Order

{If order matters, list the recommended merge sequence. Otherwise, note they can be merged in any order.}

### Testing Notes

{Specific testing recommendations for this bundle}

### Action Items

- [ ] Review changes in each PR
- [ ] Merge in recommended order
- [ ] Verify CI passes after each merge (or after batch)
- [ ] Close this issue when all PRs are merged

---

_Generated by Dependabot PR Bundler agentic workflow_
```

### Step 5: Handle empty state

If there are no open Dependabot PRs, output `noop` — do not create an issue.

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/tosin2013/mcp-adr-analysis-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

dependabot-bundler.md•4.77 KiB

---
name: 'Dependabot PR Bundler'
description: 'Groups open Dependabot PRs into logical bundles with merge strategy recommendations'
on:
  schedule:
    - cron: '0 10 22 * *' # Monthly on 22nd
  workflow_dispatch:
permissions:
  issues: read
  pull-requests: read
safe-outputs:
  create-issue:
    title-prefix: '[dependabot-bundle]'
    max: 4
    expires: '7d'
    close-older-issues: true
tools:
  github:
    toolsets: [pull_requests, issues]
---

# Dependabot PR Bundler

You analyze open Dependabot PRs and group them into logical bundles with merge strategy recommendations.

## Context

This is the **mcp-adr-analysis-server** — a Model Context Protocol server with these critical dependencies:

- **@modelcontextprotocol/sdk** — The core MCP protocol SDK. Updates to this are **critical** and require manual review with Node 20/22 matrix testing.
- **openai** — Used for OpenRouter.ai integration (AI executor)
- **tree-sitter** and language grammars — Native bindings, updates can break builds
- **zod** — Schema validation for all tool inputs
- **vitest** / **@vitest/coverage-v8** — Test framework
- **typescript** — Compiler, updates can introduce new strict errors

## Process

### Step 1: Gather open Dependabot PRs

Use the GitHub tool to list all open PRs from the `dependabot[bot]` author. For each PR, collect:

- PR number, title, and branch name
- The dependency being updated and the version change (from → to)
- Whether it's a major, minor, or patch update
- Any failing CI checks
- Labels already applied

### Step 2: Categorize into bundles

Group the PRs into these bundles:

#### Bundle 1: MCP SDK Updates (Manual Review Required)

- Any PR updating `@modelcontextprotocol/sdk`
- Flag as requiring enhanced testing: Node 20 AND Node 22 matrix
- Note any breaking changes in the SDK changelog

#### Bundle 2: Production Dependencies

- Updates to packages listed in `dependencies` (not `devDependencies`)
- Sub-group by risk level:
  - **High risk**: Major version bumps, native modules (tree-sitter)
  - **Medium risk**: Minor version bumps of core deps (openai, zod)
  - **Low risk**: Patch version bumps

#### Bundle 3: Dev Dependencies

- Updates to packages listed in `devDependencies`
- Sub-group:
  - **Test framework**: vitest, @vitest/\*, jest-related
  - **TypeScript tooling**: typescript, @types/\*
  - **Linting/formatting**: eslint, prettier, related plugins
  - **Build tools**: tsx, other build deps

#### Bundle 4: GitHub Actions Updates

- Updates to GitHub Actions versions (actions/checkout, actions/setup-node, etc.)
- These are typically safe to batch-merge

### Step 3: Determine merge strategy

For each bundle, recommend a merge strategy:

| Bundle             | Strategy                | Rationale                                           |
| ------------------ | ----------------------- | --------------------------------------------------- |
| MCP SDK            | Individual review       | Core protocol dependency, breaking changes possible |
| Prod (high risk)   | Individual review       | Could break runtime behavior                        |
| Prod (medium risk) | Batch with testing      | Run full test suite after batch merge               |
| Prod (low risk)    | Auto-merge if CI passes | Patch updates, low risk                             |
| Dev deps (test)    | Batch merge             | Test framework updates, verify tests pass           |
| Dev deps (types)   | Auto-merge if CI passes | Type definitions only                               |
| Dev deps (other)   | Batch merge             | Low risk dev tooling                                |
| GitHub Actions     | Batch merge             | Infrastructure only                                 |

### Step 4: Create bundle issues

For each non-empty bundle, create an issue:

**Title**: `[dependabot-bundle] {Bundle Name} — {count} updates ({date})`

**Body**:

```markdown
## Dependabot Bundle: {Bundle Name}

**PRs in bundle**: {count}
**Risk level**: {High/Medium/Low}
**Recommended strategy**: {strategy}

### Updates

| PR        | Dependency | From   | To   | Type                | CI Status           |
| --------- | ---------- | ------ | ---- | ------------------- | ------------------- |
| #{number} | {dep}      | {from} | {to} | {major/minor/patch} | {pass/fail/pending} |

### Merge Order

{If order matters, list the recommended merge sequence. Otherwise, note they can be merged in any order.}

### Testing Notes

{Specific testing recommendations for this bundle}

### Action Items

- [ ] Review changes in each PR
- [ ] Merge in recommended order
- [ ] Verify CI passes after each merge (or after batch)
- [ ] Close this issue when all PRs are merged

---

_Generated by Dependabot PR Bundler agentic workflow_
```

### Step 5: Handle empty state

If there are no open Dependabot PRs, output `noop` — do not create an issue.