Bump @department-of-veterans-affairs/css-library from 0.7.0 to 0.8.4 in /packages/tokens

[dependabot]

Description

• Bumps @department-of-veterans-affairs/css-library from 0.7.0 to 0.8.4
• Adds new compare-tokens.yml which:
  • Runs on the creation of dependabot PRs for css-library
  • Run yarn install and commits yarn.lock (dependabot does not do this automatically if not running at the root level of a monorepo)
  • Compares the generated color tokens with updated css-library vs main branch to see if there have been any changes to the color tokens (additions/edits)
  • Sends slack notification to #va-mobile-library-alerts channel

Screenshots

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[TimRoe]

Looks good, but did have one bigger picture question before letting it move along: should the workflow automatically close the Dependabot PR if there's no change in tokens?

Looks like in the PR description Dependabot commands and options dropdown we could append a comment to close the PR if there's no diffs and it wouldn't come back until the next version. Seems like we'd prefer to keep it on the last version it was tested and known to be working on since that would require no validation while conceivably (if unlikely) an update could break due to other things unrelated to tokens happening in the css-library.

Thoughts? I can't think of harm in auto-closing the PR with the action if the tokens didn't change. We could still manually bump it periodically as part of routine dependency updates where we are validating things still behave as expected.

[timwright12]

@TimRoe good question, but let's take it into Slack to unblock the work unless you're requesting changes to the PR. If we think closing the PR should be a best practice, let's spin up a separate work stream and document it

[TimRoe]

@TimRoe good question, but let's take it into Slack to unblock the work unless you're requesting changes to the PR. If we think closing the PR should be a best practice, let's spin up a separate work stream and document it

I am tentatively requesting changes to the PR: checking if Narin agrees with the idea and, if so, proposing the workflow be expanded to close out css-library Dependabot PRs containing no relevant changes so we automatically shuffle them into the void if they don't do anything except potentially break the tokens package if something weird happened between the css-library and how it behaves within our tokens package (and then components package and then flagship).

Not sure what you mean by best practice. This workflow is being added for one specific situation, not commenting at all on dependabot PRs generally. css-library is a special case because no one else is using it how we are, unlike most packages that are used publicly and broadly.

[timwright12]

@TimRoe let's just try and have these longer form back and forth conversations in Slack unless you're fully requesting a change so we don't scope creep small PRs

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[narin]

@TimRoe Separated git credentials into its own step. Auto-close the PR if there are no changes detected.

[TimRoe]

Approved. Good to see it was straightforward to auto-close, hopefully saves us time with likely relatively few VADS changes touching the tokens.