chore(ci): add dependabot config for automated dependency updates#21
chore(ci): add dependabot config for automated dependency updates#21jmeridth wants to merge 2 commits into
Conversation
What/Why Enable Dependabot to automatically open PRs for outdated dependencies across all ecosystems in the repo: cargo, uv, github-actions, and docker (lore-server, lore-revision). Proof it works YAML validates cleanly. Dependabot will pick up the config on merge and begin scanning on its weekly schedule. Risk + AI role Low -- config-only addition, no code changes. AI-generated (Claude Opus 4.6, claude-opus-4-6), human-reviewed. Review focus Confirm the grouped minor+patch strategy is appropriate and that no ecosystems were missed. The labels (rust, python, github_actions, docker, dependencies) must exist in the repo or be created before merge, otherwise Dependabot PRs will fail to apply them. Signed-off-by: jmeridth <jmeridth@gmail.com>
|
Hi thanks for the contribution @jmeridth. We check rust dependencies in our internal CI with |
UPDATE: DONE We could remove the cargo ecosystem from the file and leave a comment for that. Up to y'all. Are the other bits valid? (GitHub Actions, uv (Python), Docker) |
## What/Why Remove the cargo package ecosystem from the dependabot configuration per PR review feedback (EpicGames#21). ## Proof it works YAML-only change; validated structure manually. Remaining ecosystems (uv, github-actions, docker) are unchanged. ## Risk + AI role Low -- config removal only. AI-assisted (Claude Opus 4.6) for the edit. ## Review focus Confirm cargo removal aligns with upstream maintainer intent. Signed-off-by: jmeridth <jmeridth@gmail.com>
ragnarula
left a comment
ragnarula
left a comment
There was a problem hiding this comment.
I'm happy to give this a go, we've been watching our rust dependencies but not so much other things so seems like a valuable tool.
If you wouldn't mind could you
- Run this on your fork to prove it runs cleanly and also any updates it picks up don't immediately bring in breaking changes
- Rebase/merge main to pick up our latest PR checks
If thats all good I'm happy to take it once our merge flow comes online.
Left a comment about the mysterious docker file, if that gets removed before this merges lets remove that section too.
| - "minor" | ||
| - "patch" | ||
| - package-ecosystem: "docker" | ||
| directory: "/lore-revision" |
There was a problem hiding this comment.
Seeing this actually brought to my attention this docker file exists. I'm not sure why its here or whats using it, if I can't find a consumer I'll probably remove it so probably should remove this too.
## What/Why Remove the cargo package ecosystem from the dependabot configuration per PR review feedback (EpicGames#21). ## Proof it works YAML-only change; validated structure manually. Remaining ecosystems (uv, github-actions, docker) are unchanged. ## Risk + AI role Low -- config removal only. AI-assisted (Claude Opus 4.6) for the edit. ## Review focus Confirm cargo removal aligns with upstream maintainer intent. Signed-off-by: jmeridth <jmeridth@gmail.com>
Merged to my fork's main branch Enabled dependabot and ran the checks Checks running
The Actions updates would be solved by my other PR |
2 participants
What/Why
Add Dependabot configuration to automate dependency update PRs across ecosystems in the repo: uv (Python), github-actions, and docker (lore-server, lore-revision). Cargo was excluded per maintainer feedback.
Proof it works
YAML validates cleanly. Dependabot will pick up the config on merge and begin scanning on its weekly schedule.
Risk + AI role
Low -- config-only addition, no code changes. AI-assisted (Claude Opus 4.6).
Review focus