Skip to content

Add Dependabot for automated dependency and GitHub Actions updates#59

Merged
nojibe merged 1 commit into
mainfrom
ken/prdeng-12-add-dependabot-for-automated-dependency-and-github-actions
Jul 18, 2026
Merged

Add Dependabot for automated dependency and GitHub Actions updates#59
nojibe merged 1 commit into
mainfrom
ken/prdeng-12-add-dependabot-for-automated-dependency-and-github-actions

Conversation

@nojibe

@nojibe nojibe commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds .github/dependabot.yml so dependency and GitHub Actions version drift gets an automated update path.

Linear: PRDENG-12
Closes #34

What's configured

  • npm ecosystem (covers package.json + pnpm-lock.yaml): weekly on Mondays, minor/patch bumps grouped into two PRs (production and development), majors as individual PRs, open-PR limit of 5, dependencies label, chore(deps) / chore(deps-dev) commit prefixes.
  • github-actions ecosystem: weekly, all action bumps grouped into one PR, open-PR limit of 3, dependencies + ci labels. The two current workflows only use run: steps, so this is dormant until marketplace actions are introduced (e.g. by the CI hardening work).

Notes

  • The reviewers key in dependabot.yml is deprecated by GitHub; a CODEOWNERS file is the supported way to auto-request review on Dependabot PRs if we want that.
  • Dependabot alerts were already enabled on the repo; automated security update PRs are a repo setting (not part of this file) and are being enabled alongside this PR.
  • Main currently has 16 open Dependabot alerts (3 critical, 4 high), so expect an initial burst of security PRs once enabled.

🤖 Generated with Claude Code

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review for a one-time review, or @claude review always to subscribe this PR to a review on every future push.

Tip: disable this comment in your organization's Code Review settings.

@railway-app
railway-app Bot temporarily deployed to weval / app-pr-59 July 18, 2026 00:55 Destroyed
Weekly schedule with grouped minor/patch updates (separate production
and development groups); major bumps arrive as individual PRs.
Open-PR limits and labels keep the queue manageable.

Closes #34

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@nojibe
nojibe force-pushed the ken/prdeng-12-add-dependabot-for-automated-dependency-and-github-actions branch from daec9db to 825ee79 Compare July 18, 2026 01:01
@railway-app
railway-app Bot temporarily deployed to weval / app-pr-59 July 18, 2026 01:01 Destroyed
@railway-app

railway-app Bot commented Jul 18, 2026

Copy link
Copy Markdown
Contributor

🚅 Deployed to the app-pr-59 environment in weval

Service Status Web Updated (UTC)
weval-app 🕒 Building (View Logs) Web Jul 18, 2026 at 1:01 am

@nojibe
nojibe merged commit 05aef9b into main Jul 18, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Dependabot for automated dependency and GitHub Actions updates

1 participant