template-python/.github/dependabot.yml at 04925ad1dea7e5fee769c017c35f920a4be7c1ec · roboflow/template-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Dependabot configuration file
# Enables automated dependency updates for pip (individual PRs) and GitHub Actions (grouped PR).
# Full documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

version: 2

updates:
  # Pip dependencies from pyproject.toml ([project].dependencies and [dependency-groups])
  - package-ecosystem: pip
    directory: "/"
    target-branch: "main"
    schedule:
      interval: "weekly"
      # day: "monday"  # Optional: Restrict to specific weekday
    open-pull-requests-limit: 5  # Limit number of open PRs
    rebase-strategy: "auto"  # Options: auto, safe, noop
    labels:
      - "dependencies"
    versioning-strategy: "increase"  # lockfile-only, increase, increase-if-necessary
    # Useful: Ignore outdated/unwanted packages
    # ignore:
    #   - dependency-name: "legacy-package"
    # Useful: Periodically update lockfile even without dep changes (requires lockfile)
    # lockfile-maintenance:
    #   enabled: true

  # GitHub Actions in .github/workflows/*.yml
  - package-ecosystem: "github-actions"
    directory: "/"  # Root; scans .github/**/workflow yml files
    target-branch: "main"
    schedule:
      interval: "monthly"
      # day: "monday"
    open-pull-requests-limit: 5
    rebase-strategy: "auto"
    labels:
      - "CI"
    groups:
      gha-updates:
        patterns:
          - "*"  # Groups ALL GitHub Actions updates into single PR

# Additional notes:
# - Pip updates: Individual PRs per package (no group).
# - Reviews: Uses .github/CODEOWNERS automatically.
# - Automerge: Enable via branch protection rules or 'automerge: true' (experimental).