fix: tune Dependabot config and fix DCO assistant bugs (#534)

* fix: restrict Dependabot pip updates to security-only

The Dependabot config added in #517 included weekly version-bump PRs for
all three pip packages. This would generate noisy PRs for routine dep
updates we don't need. Set open-pull-requests-limit: 0 on the pip
ecosystems so only CVE-triggered security updates open PRs.

GitHub Actions weekly bumps are kept as-is to keep SHA pins current.

* fix: group Dependabot Actions PRs and fix DCO allowlist

- Add a Dependabot group to bundle all GitHub Actions updates into a
  single weekly PR instead of one per action
- Fix DCO allowlist: dependabot -> dependabot[bot] to match the actual
  GitHub username (the old value never matched, but there were no
  Dependabot PRs before #517 to expose the bug)

* fix: align DCO assistant if-condition with custom sign-off text

The step's if-condition checked for the default sign-off text but
custom-pr-sign-comment uses different wording. This meant the
issue_comment trigger was always skipped - sign-offs only worked
by accident when a subsequent push re-triggered the action via
pull_request_target.

Author: andreatgretel

.github/dependabot.yml

@@ -4,23 +4,30 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    groups:
+      all-actions:
+        patterns:
+          - "*"
     commit-message:
       prefix: "ci"
   - package-ecosystem: pip
     directory: /packages/data-designer-config
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     commit-message:
       prefix: "chore"
   - package-ecosystem: pip
     directory: /packages/data-designer-engine
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     commit-message:
       prefix: "chore"
   - package-ecosystem: pip
     directory: /packages/data-designer
     schedule:
       interval: weekly
+    open-pull-requests-limit: 0
     commit-message:
       prefix: "chore"

.github/workflows/dco-assistant.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "DCO Assistant"
-        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the Contributor Agreement including DCO and I hereby sign the Contributor Agreement and DCO') || github.event_name == 'pull_request_target'
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the DCO document and I hereby sign the DCO.') || github.event_name == 'pull_request_target'
         uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -35,7 +35,7 @@ jobs:
           path-to-signatures: "dco-signatures.json"
           path-to-document: 'https://github.com/NVIDIA-NeMo/DataDesigner/blob/main/DCO'
           branch: 'signatures'
-          allowlist: dependabot
+          allowlist: dependabot[bot]
           create-file-commit-message: "chore: create file to store dco signatures"
           signed-commit-message: "chore: $contributorName has signed the dco in #$pullRequestNo"
           custom-notsigned-prcomment: "Thank you for your submission! We ask that $you sign our [Developer Certificate of Origin](https://github.com/NVIDIA-NeMo/DataDesigner/blob/main/DCO) before we can accept your contribution. You can sign the DCO by adding a comment below using this text:"