From 0bda59950d2889250e2bb24a10c22f132d2a1ebf Mon Sep 17 00:00:00 2001
From: "Elias W. BA" <eliaswalyba@gmail.com>
Date: Fri, 15 May 2026 13:40:59 +0000
Subject: [PATCH] Move @openfn/cli pin into package.json and loosen brittle
 test assertions

Three orthogonal hygiene fixes:

  * `.github/dependabot.yml`: the existing `/assets` entry was set to
    `ecosystem: "mix"`, which silently matched nothing. Fix it to `npm`
    and scope to `@openfn/*` so Dependabot opens a daily auto-PR when
    either package ships a release.
  * `assets/package.json` + `lib/mix/tasks/install_runtime.ex`: move
    the `@cli_version` constant out of Elixir source and into
    `package.json` as a regular devDependency. The Mix task reads the
    pin at compile time via `File.read!` + `Jason.decode!`, with
    `@external_resource` so recompiles trip on JSON changes. Single
    source of truth for both pins; Dependabot can track the CLI now.
  * `test/integration/web_and_worker_test.exs`: the version assertions
    pinned exact builds for `language-http`, `worker`, `node.js`, and
    `language-common`. Each new upstream release turned the test red
    for reasons unrelated to Lightning. Loosen to `\d+\.\d+`.
---
 .github/dependabot.yml                   | 16 ++++++++--------
 assets/package.json                      |  1 +
 lib/mix/tasks/install_runtime.ex         | 13 ++++++++++++-
 test/integration/web_and_worker_test.exs |  9 +++++----
 4 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 28d52a17e6f..cae9728ffb6 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,19 +5,19 @@
 
 version: 2
 updates:
-  - package-ecosystem: "mix" # See documentation for possible values
-    directory: "/" # Location of package manifests
+  - package-ecosystem: "mix"
+    directory: "/"
     schedule:
       interval: "weekly"
-      
-  - package-ecosystem: "mix"
-    # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
+
+  - package-ecosystem: "npm"
     directory: "/assets"
     schedule:
-      interval: "weekly"  
-      
+      interval: "daily"
+    allow:
+      - dependency-name: "@openfn/*"
+
   - package-ecosystem: "github-actions"
-    # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
     directory: "/"
     schedule:
       interval: "weekly"
diff --git a/assets/package.json b/assets/package.json
index bc6cd113127..7a55dea4f58 100644
--- a/assets/package.json
+++ b/assets/package.json
@@ -69,6 +69,7 @@
   "devDependencies": {
     "@eslint-community/eslint-plugin-eslint-comments": "^4.4.1",
     "@eslint/js": "^9.21.0",
+    "@openfn/cli": "1.35.3",
     "@openfn/ws-worker": "^1.25.0",
     "@playwright/test": "^1.55.0",
     "@redux-devtools/extension": "^3.3.0",
diff --git a/lib/mix/tasks/install_runtime.ex b/lib/mix/tasks/install_runtime.ex
index 9b5ce108388..23aa371c8af 100644
--- a/lib/mix/tasks/install_runtime.ex
+++ b/lib/mix/tasks/install_runtime.ex
@@ -11,7 +11,18 @@ defmodule Mix.Tasks.Lightning.InstallRuntime do
   use Mix.Task
 
   @default_path "priv/openfn"
-  @cli_version "1.35.3"
+
+  # Single source of truth for the `@openfn/cli` version: `assets/package.json`.
+  # Putting it there lets Dependabot track it like any other npm dependency
+  # and open bump PRs when a new release ships.
+  @package_json Path.expand("../../../assets/package.json", __DIR__)
+  @external_resource @package_json
+  @cli_version @package_json
+               |> File.read!()
+               |> Jason.decode!()
+               |> get_in(["devDependencies", "@openfn/cli"])
+               |> String.trim_leading("^")
+               |> String.trim_leading("~")
 
   def run(args) do
     case Rambo.run("/usr/bin/env", ~w(which node)) do
diff --git a/test/integration/web_and_worker_test.exs b/test/integration/web_and_worker_test.exs
index 58e50eb6e9f..cafc600335c 100644
--- a/test/integration/web_and_worker_test.exs
+++ b/test/integration/web_and_worker_test.exs
@@ -267,10 +267,11 @@ defmodule Lightning.WebAndWorkerTest do
       end
 
       version_logs = pick_out_version_logs(run)
-      assert version_logs["@openfn/language-http"] =~ "3.1.12"
-      assert version_logs["worker"] =~ "1.25"
-      assert version_logs["node.js"] =~ "22.12"
-      assert version_logs["@openfn/language-common"] == "3.0.2"
+
+      for key <- ~w(@openfn/language-http worker node.js @openfn/language-common) do
+        assert version_logs[key] =~ ~r/\d+\.\d+/,
+               "expected #{key} log line to contain a version, got #{inspect(version_logs[key])}"
+      end
 
       [step_1, step_2, step_3, step_4] = run.steps