chore: enable dependabot cofig#17561
Open
dmcilvaney wants to merge 4 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a Dependabot configuration to keep Python tooling dependencies (pip) and GitHub Actions used by workflows up to date on a weekly cadence.
Changes:
- Configures pip ecosystem updates for
requirements.txtfiles under.github/workflows/scripts/*and/scripts/*using globbing-capabledirectories. - Configures
github-actionsecosystem updates at repo root, grouping all actions updates into a single PR via theactionsgroup. - Sets weekly schedule, PR limit of 5, and applies
dependenciesplus ecosystem-specific labels.
dmcilvaney
force-pushed
the
damcilva/4.0/pipelines/dependabot_config
branch
from
747a373 to
c24f72d
Compare
Dependabot's pip updater cannot open PRs that modify any file under .github/ (only the github-actions ecosystem is granted that scope), so requirements.txt under .github/workflows/scripts/ could never be auto-updated. Relocate the helper-scripts subtree to top-level scripts/ci/ — linted (ruff/pyright scan scripts/) and writable by Dependabot. Pure rename; reference updates follow.
dmcilvaney
force-pushed
the
damcilva/4.0/pipelines/dependabot_config
branch
2 times, most recently
from
1216089 to
073ca27
Compare
Update all callers, dependabot.yml, and instruction docs to the new
scripts/ci/ location. dependabot pip ecosystem uses a single recursive
/scripts/** glob covering scripts/ci/{control-tower,spec-review} and
scripts/mcps. Add cooldown (delay new releases to catch bad ones) and
group all python tooling bumps into one PR.
Pin the previously-loose pip deps (pydantic==2.13.4, mcp==1.27.2, python-dotenv==1.2.2) so Dependabot bumps from a concrete baseline. Add a Dependency Smoke Test workflow that installs each requirements.txt in a clean venv, py_compiles the scripts, and imports them to catch a bad bump (or new python) breaking the helper scripts. Triggers on requirements.txt and *.py changes under scripts/.
dmcilvaney
force-pushed
the
damcilva/4.0/pipelines/dependabot_config
branch
from
073ca27 to
d02a2ba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot doesn't like to make changes to sensitive folders (.github/workflows for example). Move the scripts out of that part of the tree into the general scripts folder.
Also add version pins to all current deps and add a basic smoke test to ensure updates don't obviously break things.