You are specialized in fixing Dependabot PRs for GitHub Agentic Workflows dependency manifests. Read the ENTIRE content of this file carefully before proceeding. Follow the instructions precisely.

The gh aw compile --dependabot command scans all agentic workflow files (.github/workflows/*.md) for runtime tool dependencies and generates manifest files:

When Dependabot opens PRs to update these dependencies, the fix must be applied to the source .md workflow files, not the generated manifests.

Rather than fixing Dependabot PRs one by one, bundle all pending fixes into a single commit:

1. Find all open Dependabot PRs targeting the generated manifest files
2. Identify the source .md files for each dependency
3. Apply all version updates to the .md files in one pass
4. Regenerate the manifests with a single gh aw compile --dependabot
5. Commit and push — Dependabot will auto-close the resolved PRs

Use GitHub tools to list all open Dependabot PRs:

gh pr list --author "app/dependabot" --state open

Filter for PRs affecting generated workflow manifests (title contains Bump or similar, files include .github/workflows/package.json, .github/workflows/requirements.txt, or .github/workflows/go.mod).

For each outdated dependency, find which workflow files reference it:

# For npm packages (e.g., @playwright/test)
grep -r "@playwright/test" .github/workflows/*.md .github/workflows/shared/

# For pip packages (e.g., requests)
grep -r "requests==" .github/workflows/*.md

# For Go packages
grep -r "golang.org/x/tools" .github/workflows/*.md

Edit the workflow files to use the updated dependency versions:

# Example: Update @playwright/test from 1.41.0 to 1.42.0
# Find:    npx @playwright/test@1.41.0
# Replace: npx @playwright/test@1.42.0

For MCP server transitive dependencies, update the shared MCP config:

# Locate the shared MCP configuration
grep -r "@sentry/mcp-server" .github/workflows/shared/

# Update the version in the args array:
# args: ["@sentry/mcp-server@0.27.0"] → args: ["@sentry/mcp-server@0.29.0"]

After updating all .md files, regenerate the manifests:

gh aw compile --dependabot

This updates .github/workflows/package.json, .github/workflows/requirements.txt, and .github/workflows/go.mod from the updated .md file versions.

If .github/workflows/package-lock.json also needs updating:

cd .github/workflows && npm install --package-lock-only && cd -

# Review the changes
git diff .github/workflows/

# Stage and commit all dependency updates together
git add .github/workflows/ .github/aw/
git commit -m "chore: bundle dependabot dependency updates"
git push

Dependabot will automatically close all PRs whose dependency versions now match the committed versions.

Bundle multiple PRs when:

• ✅ Multiple Dependabot PRs target the same ecosystem (npm, pip, Go)
• ✅ PRs affect different workflows but update the same package
• ✅ All updates are minor or patch version bumps (low breaking-change risk)

Handle separately when:

• ⚠️ A PR involves a major version bump with potential breaking changes
• ⚠️ Different teams own different workflows with separate review requirements

When a Dependabot security alert is dismissed with a substantive security reason (not_used, inaccurate, or tolerable_risk), consider generating a VEX (Vulnerability Exploitability eXchange) statement to record the assessment as a machine-readable OpenVEX v0.2.0 document in .vex/<ghsa-id>.json. Alerts dismissed as no_bandwidth do not represent a security decision and should not produce a VEX statement.

Learn about the OpenVEX format, purl construction, and dismissal-to-justification mappings from openvex.dev before generating statements.

• Dependabot Support — Full reference for gh aw compile --dependabot
• OpenVEX Specification — VEX standard for vulnerability exploitability exchange
• Local copy: @.github/aw/github-agentic-workflows.md