Summary
Set up Dependabot in this repository so dependency and GitHub Actions updates are created automatically via pull requests.
Why
- Improve security posture by receiving timely dependency updates.
- Reduce manual maintenance burden for Rust and Python plugin packages.
- Keep CI workflows up to date.
Scope
Add .github/dependabot.yml configured for:
github-actions (repository workflows)cargo (root and plugin/crate manifests)pip (Python plugin package dependencies)
Proposed Configuration
- Run schedule: weekly
- Group minor/patch updates where practical to reduce PR noise
- Use sensible PR limits (e.g., max 5 open PRs per ecosystem)
- Add labels such as
dependencies and security
- Assign reviewers/team if repository policy requires it
Acceptance Criteria
- A valid
.github/dependabot.yml is present on main.
- Dependabot is enabled for
github-actions, cargo, and pip.
- At least one Dependabot PR is opened successfully after merge.
- CI passes for Dependabot-generated PRs, or documented follow-up issues are created.
Notes
Repository is a monorepo with multiple independent plugin packages (Rust and Python), so directory coverage in dependabot.yml should include all relevant manifests.
Summary
Set up Dependabot in this repository so dependency and GitHub Actions updates are created automatically via pull requests.
Why
Scope
Add
.github/dependabot.ymlconfigured for:github-actions(repository workflows)cargo(root and plugin/crate manifests)pip(Python plugin package dependencies)Proposed Configuration
dependenciesandsecurityAcceptance Criteria
.github/dependabot.ymlis present onmain.github-actions,cargo, andpip.Notes
Repository is a monorepo with multiple independent plugin packages (Rust and Python), so directory coverage in
dependabot.ymlshould include all relevant manifests.