fix: apply dependabot config via PR (branch protection blocks direct push)

[avrabe]

Root cause

After PR #19 added required_pull_request_reviews to the default branch, direct pushes from the bot are blocked. The scheduler — now actually running post-#21 — immediately revealed this: every generate-dependabot task across the org failed with:

Could not create file: Changes must be made through a pull request

Three rows in the deployed task store (pulseengine/temper, pulseengine/rivet, pulseengine/spar) are stuck at status=failed, attempts=3.

Fix

Set change_strategy.use_pull_requests: true in config.yml. The code path already exists in src/dependabot.js:25-30 and src/github-api.js:42-83 — it just wasn't enabled in config. Schema validation added.

Manual cleanup after deploy

The 3 stuck rows have unique dedup keys, so new attempts won't re-enqueue. One-shot on netcup:

```bash
node -e 'import("./src/task-store.js").then(m => {
const s = m.initTaskStore("./data/tasks.db");
s._db.prepare("DELETE FROM tasks WHERE status = ?").run("failed");
s.close();
})'
```

A /retry-failed-tasks ChatOps command is a sensible follow-up but out of scope here.

Test plan

• All 698 tests pass
• eslint clean
• After merge + deploy + manual cleanup: next non-bot PR in any org repo → bot enqueues generate-dependabot → scheduler claims it → bot opens a `[temper] Configuration update` PR adding `.github/dependabot.yml`
• AI review on this PR should fire (PR fix: AI review failed silently — octokit.issues namespace undefined #22 fixed the octokit.issues bug, deployed at `a9b8e6f`). If a review comment lands within ~5 min, both fixes are confirmed working.

Risk & rollout

• Risk: low. Pure config flip. PR-creation path covered by integration tests.
• Rollout: self-update on merge, then one-shot cleanup of the 3 failed rows.

🤖 Generated with Claude Code

[temper-pulseengine]

AI Code Review for PR #23

pulseengine/temper:fix/dependabot-via-pr → pulseengine/temper:main

Summary of Changes

The PR introduces a fix to apply Dependabot configuration via pull request rather than direct push. This change is necessary due to the introduction of branch protection in PR #19, which blocks direct commits to the default branches.

Potential Bugs or Issues

• Security Concerns: The implementation does not include any security measures for handling sensitive information related to Dependabot configuration files or tokens.
• Configuration Validation: While schema validation is added, it only checks basic types and structures. There might be edge cases that are not covered by this validation.

Security Concerns

1. Sensitive Information Handling: The PR does not include any security measures for handling sensitive information related to Dependabot configuration files or tokens.
2. Configuration Validation: While schema validation is added, it only checks basic types and structures. There might be edge cases that are not covered by this validation.

Suggestions for Improvement

1. Security Measures: Implement secure practices for handling sensitive information such as API keys and tokens.
2. Configuration Validation: Enhance the schema validation to cover more complex scenarios and edge cases.
3. Error Handling: Add error handling in case of invalid configuration or failed operations.

Overall Assessment

The PR addresses a critical issue related to branch protection by ensuring that Dependabot configurations are applied via pull requests. However, there is room for improvement in terms of security measures and configuration validation. The implementation is mostly correct but could benefit from additional robustness.

---

This review was generated by a local AI model. It is advisory only and may contain inaccuracies.

Reviewed at a24d373