From b0f4cf5a6b0a505af5e5423a10c5cea556456884 Mon Sep 17 00:00:00 2001 From: Dan Ratner Date: Tue, 19 May 2026 11:43:02 -0500 Subject: [PATCH] chore(dependabot): ignore LLM provider SDKs (now owned by maestro-llms) Post maestro-llms cut-over, anthropic-sdk-go / openai-go / genai are indirect deps with zero direct imports in Maestro; their versions are pinned and CI-validated by maestro-llms. Bumping them in Maestro's go.mod only forces an untested transitive version under the toolkit. Ignore them here so dependabot stops generating misdirected PRs; the bump that matters (github.com/SnapdragonPartners/maestro-llms) is still tracked. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0cc29339..5273f465 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,17 @@ updates: schedule: interval: "weekly" open-pull-requests-limit: 5 + # LLM provider SDKs are now indirect deps owned by maestro-llms (the + # cut-over removed all direct imports). Their versions are pinned by + # maestro-llms's own go.mod and validated by its CI; bumping them here + # would only force an untested transitive version under the toolkit. + # Bump them in the maestro-llms repo instead — Maestro inherits via the + # (still dependabot-tracked) maestro-llms dependency. These churn often, + # which was a motivation for the extraction. + ignore: + - dependency-name: "github.com/anthropics/anthropic-sdk-go" + - dependency-name: "github.com/openai/openai-go" + - dependency-name: "google.golang.org/genai" - package-ecosystem: "github-actions" directory: "/"