plures · kayodebristol · Feb 6, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/.github/BOT_PR_TEMPLATE.md b/.github/BOT_PR_TEMPLATE.md
@@ -0,0 +1,28 @@
+<!-- Bot PR Template - Auto-populated by automation workflows -->
+
+## 🤖 Automated Dependency Update
+
+### Summary
+<!-- Brief description of what's being updated -->
+
+### Changes
+<!-- List of packages/dependencies being updated -->
+
+### Upstream References
+<!-- Links to changelogs, release notes, or commit ranges -->
+
+### Impact Assessment
+- [ ] Breaking changes: **None** / **Documented below**
+- [ ] Security fixes: **None** / **Documented below**
+- [ ] Requires manual testing: **No** / **Yes - see below**
+
+### Testing
+<!-- Automated test results and any manual testing performed -->
+
+### Tracking
+- Weekly batch: `YYYY-MM-DD`
+- Issue reference: `#<issue-number>` or `n/a` (tracked in weekly log)
+
+---
+*This PR was automatically generated by the Praxis bot update workflow.*
+*For questions or to report issues, please tag @plures/maintainers.*
diff --git a/.github/bot-logs/INDEX.md b/.github/bot-logs/INDEX.md
@@ -0,0 +1,32 @@
+# Bot Activity Logs Index
+
+This directory contains weekly logs of automated bot activities in the Praxis repository.
+Each log captures dependency updates, version bumps, and other automated maintenance tasks.
+
+## Purpose
+- Track bot activities even when no GitHub issue is created
+- Provide audit trail for automated changes
+- Enable review of batch updates over time
+- Reduce PR/commit churn by batching weekly updates
+
+## How It Works
+
+1. **Weekly Schedule**: Automated logs are generated every Monday at 10:00 UTC
+2. **Batch Updates**: Dependabot and other bot updates are grouped and reviewed weekly
+3. **Audit Trail**: Each weekly log includes:
+   - Summary of all bot PRs merged that week
+   - Links to upstream changes and release notes
+   - Impact assessment (breaking changes, security fixes)
+   - Testing status
+
+## Configuration
+
+Bot update behavior is controlled by:
+- `.github/dependabot.yml` - Dependency update grouping and scheduling
+- `.github/workflows/bot-weekly-log.yml` - Weekly activity logging
+- `.github/BOT_PR_TEMPLATE.md` - Standard PR format for bot updates
+
+## Weekly Logs
+
+<!-- Log entries will be added automatically by the bot-weekly-log workflow -->
+*No logs yet. The first log will be generated on the next Monday after this file is committed.*
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,22 +5,64 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    open-pull-requests-limit: 10
+      day: "monday"
+      time: "09:00"  # UTC timezone
+    open-pull-requests-limit: 5
+    groups:
+      npm-production:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "@types/*"
+          - "@vitest/*"
+          - "typescript"
+          - "tsup"
+          - "vite"
+          - "vitest"
+        update-types:
+          - "minor"
+          - "patch"
+      npm-dev-tools:
+        patterns:
+          - "@types/*"
+          - "@vitest/*"
+          - "typescript"
+          - "tsup"
+          - "vite"
+          - "vitest"
+        update-types:
+          - "minor"
+          - "patch"
     labels:
       - "dependencies"
       - "npm"
+      - "bot-update"
     commit-message:
-      prefix: "chore"
+      prefix: "chore(deps)"
       include: "scope"
+    pull-request-branch-name:
+      separator: "/"
 
   # Enable version updates for GitHub Actions
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "09:00"  # UTC timezone
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
     labels:
       - "dependencies"
       - "github-actions"
+      - "bot-update"
     commit-message:
-      prefix: "chore"
+      prefix: "chore(deps)"
       include: "scope"
+    pull-request-branch-name:
+      separator: "/"
diff --git a/.github/workflows/batch-pin-bumps.yml b/.github/workflows/batch-pin-bumps.yml
@@ -0,0 +1,173 @@
+name: Batch Pin Bumps (Weekly)
+
+on:
+  schedule:
+    # Run every Monday at 08:00 UTC (before the weekly log)
+    - cron: "0 8 * * 1"
+  workflow_dispatch:
+    inputs:
+      force_update:
+        description: 'Force update even if no changes detected'
+        required: false
+        default: 'false'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  batch-pin-updates:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '20.x'
+
+      - name: Get week label
+        id: week
+        run: |
+          WEEK_LABEL=$(date -u +%Y-W%U)
+          BRANCH_NAME="bot/weekly-pins-$WEEK_LABEL"
+          echo "label=$WEEK_LABEL" >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
+
+      - name: Check for pin updates
+        id: check
+        run: |
+          # This is a placeholder for custom pin update logic
+          # Projects can customize this step to check their specific pin files
+          # Examples: package-lock.json, pnpm-lock.yaml, flake.lock, etc.
+
+          CHANGES_DETECTED=false
+          SUMMARY=""
+
+          # Check for pnpm lockfile updates
+          if [ -f "pnpm-lock.yaml" ]; then
+            # Run pnpm update to check for available updates
+            if command -v pnpm &> /dev/null; then
+              pnpm install
+              if git diff --quiet pnpm-lock.yaml; then
+                echo "No pnpm lockfile changes detected"
+              else
+                CHANGES_DETECTED=true
+                SUMMARY="${SUMMARY}\n- Updated pnpm lockfile"
+              fi
+            fi
+          fi
+
+          # Check for package-lock.json updates
+          if [ -f "package-lock.json" ]; then
+            if command -v npm &> /dev/null; then
+              npm install
+              if git diff --quiet package-lock.json; then
+                echo "No npm lockfile changes detected"
+              else
+                CHANGES_DETECTED=true
+                SUMMARY="${SUMMARY}\n- Updated npm lockfile"
+              fi
+            fi
+          fi
+
+          echo "changes=$CHANGES_DETECTED" >> $GITHUB_OUTPUT
+          echo "summary<<EOF" >> $GITHUB_OUTPUT
+          echo -e "$SUMMARY" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Create PR if changes detected
+        if: steps.check.outputs.changes == 'true' || github.event.inputs.force_update == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH="${{ steps.week.outputs.branch }}"
+          WEEK="${{ steps.week.outputs.label }}"
+
+          # Configure git
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          # Create and switch to new branch
+          git checkout -b "$BRANCH"
+
+          # Add all changes
+          git add -A
+
+          # Commit with descriptive message
+          COMMIT_TITLE="chore: weekly pin bumps for $WEEK"
+          COMMIT_BODY="Automated weekly dependency pin updates.
+
+          This PR batches all pin updates for the week to reduce commit churn.
+          Review the lockfile changes for any unexpected updates.
+
+          Tracking: Weekly log $WEEK"
+
+          git commit -m "$COMMIT_TITLE" -m "$COMMIT_BODY"
+
+          # Push branch
+          git push origin "$BRANCH"
+
+          # Get template content
+          TEMPLATE_FILE=".github/BOT_PR_TEMPLATE.md"
+
+          # Create PR body
+          PR_BODY="## 🤖 Automated Weekly Pin Updates
+
+          **Week:** $WEEK
+          **Type:** Dependency lockfile updates
+
+          ### Summary
+          This PR batches all dependency pin bumps for the week to reduce commit churn and improve reviewability.
+
+          ### Changes
+          ${{ steps.check.outputs.summary }}
+
+          ### Upstream References
+          - Review the lockfile diff for specific package version changes
+          - Check individual package changelogs for breaking changes
+
+          ### Impact Assessment
+          - [ ] Breaking changes: **Review lockfile diff**
+          - [ ] Security fixes: **Check dependency security advisories**
+          - [ ] Requires manual testing: **Yes - verify builds and tests pass**
+
+          ### Testing
+          \`\`\`bash
+          npm run build
+          npm run test
+          npm run typecheck
+          \`\`\`
+
+          ### Tracking
+          - Weekly batch: $WEEK
+          - Issue reference: n/a (tracked in weekly bot log)
+
+          ---
+          *This PR was automatically generated by the batch-pin-bumps workflow.*
+          *For questions or to report issues, please tag @plures/maintainers.*"
+
+          # Create PR
+          gh pr create \
+            --title "chore(deps): weekly pin bumps - $WEEK" \
+            --body "$PR_BODY" \
+            --base main \
+            --head "$BRANCH" \
+            --label "dependencies,bot-update,automated-pins"
+
+      - name: Report status
+        run: |
+          echo "## 🤖 Pin Bump Check Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Week:** ${{ steps.week.outputs.label }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Changes detected:** ${{ steps.check.outputs.changes }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ steps.check.outputs.changes }}" == "true" ]; then
+            echo "A PR has been created with the weekly pin updates." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No pin updates needed this week." >> $GITHUB_STEP_SUMMARY
+          fi