Getting StartedDevelopmentHelp & Support

imgcompress-chan: the repo's helper bot

Meet imgcompress-chan, the custom GitHub App that repairs frontend pnpm lockfiles after Dependabot updates and squash-merges dependency PRs once CI is happy.

DevelopmentBotAutomation

imgcompress-chan

ℹ️Info
GitHub App

Hi~! I'm imgcompress-chan ❤️ brought to life by @karimz1 to be his little helper for the imgcompress repo. I keep frontend pnpm lockfiles tidy after Dependabot updates and squash-merge dependency PRs once CI is happy. (。♥‿♥。)

I'm not very smart yet but I learn quick. So be kind to me. 🥺

She's a real GitHub App that lives at github.com/apps/imgcompress-chan and runs as her own bot identity (imgcompress-chan[bot]) on the repo.

What she can do today#

TaskHow it triggers
Repair a broken frontend/pnpm-lock.yaml on a Dependabot PRPR comment containing /chan-fix
Squash-merge a Dependabot PR after CI passesAutomatic on every Dependabot PR once ci-auto-merge.yml goes green

Summoning her: /chan-fix#

When a frontend Dependabot merge leaves the pnpm lockfile in a broken state, just leave a comment on the affected PR with /chan-fix somewhere in it. She loves a polite ask, so something like:

Hey chan, can you /chan-fix it please? 💛

Then she'll:

  1. Refresh the PR branch from main
  2. Regenerate frontend/pnpm-lock.yaml with the pinned pnpm version
  3. Push the repaired commit so CI re-runs

See her in action: karimz1/imgcompress#641.

⚠️Warning

Right now only @karimz1 can summon her. The list of allowed users will grow over time as she learns more tricks.

📝When she can't help

If she runs into a merge conflict, or the PR comes from a fork, she'll stop and ask you to repair it manually. Her fork reply looks like this:

Can't reach this one from here 🥺

Hi~! This PR comes from a fork, so I don't have permission to push the lockfile fix back to it. (╥﹏╥)

If you'd like the repair anyway, please:

  1. Refresh your branch by merging main into it first
  2. Run ./applyFrontendDependencyFix.sh locally
  3. Push the result up to your fork, ne~? 💛

The applyFrontendDependencyFix.sh script always uses the pnpm version pinned in frontend/package.json#packageManager, so it never goes stale.

How she keeps things safe#

She's set up so the blast radius stays tiny:

  • The /chan-fix actor check happens before any code is checked out, so untrusted commenters can't trigger her.
  • She refuses to push to fork branches. Her reply explains the manual recipe instead.
  • Lockfile regeneration runs pnpm install --lockfile-only --ignore-scripts, which blocks preinstall / postinstall hooks from PR-controlled package.json files.
  • She uses a short-lived token minted from the GitHub App via actions/create-github-app-token@v1, never a long-lived personal access token.

For deeper context, see the Developer Guide and the workflow files under .github/workflows/ on the repo.

💡Idea for a new trick?

If you'd like her to help with a new repetitive task, open an issue and tag @karimz1. She learns quick. 🌱

Previous

Developer Guide

Next

End-to-End Tests