feature: auto-bump version and CHANGELOG for Dependabot PRs with robust validation

[Copilot]

Plan: Dependabot Version Bumps Automation ✅

• Explore repository structure and understand the problem
• Understand current docs-bump workflow (validates but doesn't update)
• Understand versioning system (constants.yaml and CHANGELOG.md)
• Create a new workflow that automatically updates version and CHANGELOG when Dependabot opens a PR
• Create helper scripts to perform version bumping (patch bump for dependencies)
• Create helper script to update CHANGELOG with dependency updates
• Test the scripts locally (successfully tested version bump and CHANGELOG update with multiple scenarios)
• Add detailed documentation and comments to the workflow
• Address initial code review feedback (shebang format, CHANGELOG formatting)
• Run initial security checks (no vulnerabilities found)
• Address comprehensive code review feedback (validation, parsing, idempotency, error handling)
• Create AGENTS.md with coding standards
• Bump docs for this PR (version 0.1.5)
• Fix typo in constants.yaml
• Address second code review (pipefail, secure yq installation, variable quoting)
• All code review feedback addressed

Summary

This PR implements automatic version and CHANGELOG updates for Dependabot PRs with robust error handling, validation, security improvements, and comprehensive documentation.

Latest Improvements (Following AGENTS.md Standards) ✅

Security & Best Practices:

1. ✅ Added set -o pipefail to both bash scripts (AGENTS.md recommendation)
2. ✅ Replaced manual yq download with mikefarah/yq@v4 GitHub Action (secure, verified)
3. ✅ Quoted $GITHUB_OUTPUT variables (bash best practices)

All Previous Improvements ✅

Core Functionality:

• Workflow triggers on Dependabot PRs, bumps version, updates CHANGELOG, commits back
• Comprehensive regex patterns for PR title parsing
• Version validation with semver format checking
• Idempotency checks to prevent duplicate bumps
• Trap for temp file cleanup on error
• Atomic file operations for CHANGELOG
• Scripts have executable permissions

Documentation:

• Created AGENTS.md with comprehensive coding standards
• Industry-standard guidelines for Go, Bash, testing, docs, linting

Version: 0.1.5 with comprehensive CHANGELOG

Files Changed

• .github/workflows/dependabot-autobump.yaml - Secure yq installation, quoted variables
• bsctl/scripts/workflows/dependabot-autobump_bump-version.sh - Added pipefail
• bsctl/scripts/workflows/dependabot-autobump_update-changelog.sh - Added pipefail
• AGENTS.md - Comprehensive coding standards
• CHANGELOG.md - Updated to version 0.1.5
• bsctl/static/resources/constants.yaml - Version 0.1.5

Original prompt

---

This section details on the original issue you should resolve

<issue_title>feature: Dependabot Version Bumps</issue_title>
<issue_description>### Contact Details

mrlunchbox777@gmail.com

Feature Description

add configuration or a workflow to bump the docs automatically with dependabot PRs, i.e. like was mentioned here or here.

Why?

Making dependabot MRs ready to merge immediately rather than requiring some manual additional changes.

What should happen?

When a dependabot PR is created it should either already be ready to pass pipelines (version bump included as part of the dependabot) or run something that will update the PR to allow it to pass pipelines (idempotent).

Steps to Test

next time dependabot creates a PR it should, by the time all automation has finished, be ready to merge (assuming there aren't breaking changes in whatever it's bumping).

Code of Conduct

• I agree to follow this project's Code of Conduct</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes feature: Dependabot Version Bumps #262

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[github-actions]

Thank you for being part of our community and opening a pull request. We will work with you as soon as possible to integrate your contribution.

[Copilot]

Pull request overview

This PR adds automation to handle version bumping and CHANGELOG updates for Dependabot PRs, addressing the issue where Dependabot PRs fail the docs-bump validation workflow.

Changes:

• New GitHub Actions workflow that triggers on Dependabot PR creation
• Shell script to automatically bump the patch version in constants.yaml
• Shell script to extract dependency information and update CHANGELOG.md

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 10 comments.

File	Description
.github/workflows/dependabot-autobump.yaml	New workflow that triggers on Dependabot PR open events, runs version and CHANGELOG update scripts, and commits changes back to the PR
bsctl/scripts/workflows/dependabot-autobump_bump-version.sh	Script that parses the current version from constants.yaml, increments the patch version, and writes it back
bsctl/scripts/workflows/dependabot-autobump_update-changelog.sh	Script that extracts dependency information from PR title and adds a new CHANGELOG entry with the bumped version

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mrlunchbox777]

@copilot bump the docs and add an AGENTS.md that includes some standards for idiomatic go, bash standards, bumping docs, testing, documentation, and linting using industry standards for all.

[mrlunchbox777]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot bump the docs and add an AGENTS.md that includes some standards for idiomatic go, bash standards, bumping docs, testing, documentation, and linting using industry standards for all.

Bumped docs to version 0.1.5 and created AGENTS.md with comprehensive standards for idiomatic Go, Bash practices, documentation, testing, version bumping process, and linting. The document includes industry-standard guidelines with examples and references. See commit 15f7f8e.

[Copilot]

@copilot apply changes based on the comments in this thread

All 10 review comments from that thread have already been addressed in commits 15f7f8e and b13a946:

✅ Comprehensive regex patterns for PR title parsing
✅ Version validation with semver format checking
✅ Idempotency checks to prevent duplicate bumps
✅ Explicit yq installation for CI reliability
✅ Trap for temp file cleanup on error
✅ Numeric validation for version components
✅ Scripts have executable permissions
✅ Specific pattern matching for Dependabot titles
✅ Atomic file operations for CHANGELOG
✅ Typo correction (sematic → semantic)

No additional changes needed - all feedback has been implemented.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mrlunchbox777]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all 5 review comments from that thread in commit ca7a72c:

✅ Added set -o pipefail to bump-version.sh
✅ Added set -o pipefail to update-changelog.sh
✅ Replaced manual yq download with secure mikefarah/yq@v4 GitHub Action
✅ Quoted $GITHUB_OUTPUT variables (both occurrences)

All changes follow AGENTS.md standards for bash error handling and security best practices.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mrlunchbox777]

lgtm