From bbdf8a8f39485187176c075b8a8b3ae279ae65ef Mon Sep 17 00:00:00 2001
From: Maribeth Bottorff <maribethb@google.com>
Date: Thu, 13 Jul 2023 16:45:31 -0700
Subject: [PATCH 1/2] feat: add a workflow that cleans up after dependabot

---
 .github/workflows/dependabot_update.yml | 58 +++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 .github/workflows/dependabot_update.yml

diff --git a/.github/workflows/dependabot_update.yml b/.github/workflows/dependabot_update.yml
new file mode 100644
index 0000000000..ff18021d13
--- /dev/null
+++ b/.github/workflows/dependabot_update.yml
@@ -0,0 +1,58 @@
+# This workflow runs `lerna bootstrap` after dependabot updates a package-lock file.
+# Without it, package-locks become cluttered with incorrect dependencies that
+# normally would be removed by lerna. It wouldn't be necessary if we weren't using
+# lerna bootstrap.
+
+name: Clean up after dependabot
+
+# Triggered when a PR is (re)opened or synchronized
+on: pull_request
+
+permissions:
+  pull-requests: write # This action adds commits to PRs
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    # Only run on dependabot PRs
+    if: ${{ github.actor == 'dependabot[bot]' }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Check out the dependabot PR so commits are added there
+      - name: Checkout PR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh pr checkout ${{ github.event.pull_request.number }}
+
+      # This uses a reverse-engineered email for the github actions bot. See
+      # https://github.com/actions/checkout/issues/13#issuecomment-724415212
+      - name: Git identity
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email '<41898282+github-actions[bot]@users.noreply.github.com'
+
+      - name: Setup node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: Lerna bootstrap
+        run: |
+          npm run boot
+          cd examples && npm run boot
+
+      # If any package-locks were updated by lerna bootstrap, commit them
+      # Using `[dependabot skip]` in the commit message allows dependabot
+      # to continue making changes to this PR after it is updated
+      - name: Commit changes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [[ $(git status | grep '.package-lock.json') ]]; then
+            git commit -am "chore: update package-locks [dependabot skip]"
+            git push
+          else
+            echo "No changes detected"
+          fi

From ae2a4e0d37df5fb973fcbb6a90488867b60657ba Mon Sep 17 00:00:00 2001
From: Maribeth Bottorff <maribethb@google.com>
Date: Thu, 13 Jul 2023 17:20:17 -0700
Subject: [PATCH 2/2] fix: update node version

---
 .github/workflows/dependabot_update.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependabot_update.yml b/.github/workflows/dependabot_update.yml
index ff18021d13..8dff377896 100644
--- a/.github/workflows/dependabot_update.yml
+++ b/.github/workflows/dependabot_update.yml
@@ -36,7 +36,7 @@ jobs:
       - name: Setup node
         uses: actions/setup-node@v3
         with:
-          node-version: 16
+          node-version: 20
 
       - name: Lerna bootstrap
         run: |
@@ -46,6 +46,7 @@ jobs:
       # If any package-locks were updated by lerna bootstrap, commit them
       # Using `[dependabot skip]` in the commit message allows dependabot
       # to continue making changes to this PR after it is updated
+      # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/managing-pull-requests-for-dependency-updates#allowing-dependabot-to-rebase-and-force-push-over-extra-commits
       - name: Commit changes
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}