fix: tune Dependabot config and fix DCO assistant bugs

[andreatgretel]

Summary

Follow-up to #517 (CI supply chain hardening). Tunes the Dependabot configuration and fixes two pre-existing bugs in the DCO assistant workflow.

Changes

Changed

• .github/dependabot.yml — set open-pull-requests-limit: 0 on all three pip ecosystems (security-only PRs), add groups.all-actions to bundle GitHub Actions bumps into a single weekly PR

Fixed

• .github/workflows/dco-assistant.yml — fix allowlist: dependabot → allowlist: dependabot[bot] to match the actual GitHub bot username (never matched before, but no Dependabot PRs existed pre-chore: harden CI supply chain #517)
• .github/workflows/dco-assistant.yml#L29 — align the step if condition with the custom-pr-sign-comment text so the issue_comment trigger actually fires when a new contributor signs the DCO via comment (previously only worked by accident when a subsequent push re-triggered the action via pull_request_target)

Attention Areas

Reviewers: Please pay special attention to the following:

• dco-assistant.yml — the if condition and allowlist changes affect how the DCO check runs for new contributors and bot PRs

---

Description updated with AI

[github-actions]

Code Review: PR #534 — fix: restrict Dependabot pip updates to security-only

Summary

This PR adds open-pull-requests-limit: 0 to the three pip ecosystem entries in .github/dependabot.yml. The goal is to suppress noisy weekly version-bump PRs for pip dependencies while preserving two key behaviors: (1) Dependabot security alerts can still open PRs for known CVEs, and (2) GitHub Actions weekly SHA-pin bumps (added in #517) continue unchanged.

Scope: 1 file changed, 3 lines added, 0 lines deleted.

Findings

Correctness

• open-pull-requests-limit: 0 is the right mechanism. Per GitHub's Dependabot documentation, this setting controls version update pull requests only. Security updates are handled by a separate subsystem (dependabot/security-updates) and are not subject to this limit. The PR description accurately describes this behavior.
• YAML placement is correct. The open-pull-requests-limit key is placed at the correct level within each ecosystem entry (sibling to schedule and commit-message), matching the Dependabot configuration schema.
• GitHub Actions entry intentionally untouched. The github-actions ecosystem has no open-pull-requests-limit set (defaults to 5), which is appropriate — SHA-pinned actions benefit from automated weekly bump PRs to stay current.

Consistency

• All three pip ecosystem entries (data-designer-config, data-designer-engine, data-designer) are updated identically. No entry is missed.
• The key ordering within each block (schedule → open-pull-requests-limit → commit-message) is consistent across all three entries.

Commit hygiene

• Single, focused commit with a clear conventional-commit message (fix: restrict Dependabot pip updates to security-only).
• The commit body provides good context on why the change is needed.

Minor observations

• schedule: interval: weekly is retained. Even with open-pull-requests-limit: 0, Dependabot will still run weekly checks for these ecosystems. This is fine — it ensures Dependabot's internal vulnerability database is consulted regularly, so security PRs can fire promptly when a CVE is published. No change needed.
• No registries or groups configuration. Not needed for this use case, but worth noting that if the team later wants grouped security updates (e.g., batching all CVE fixes into one PR), they can add groups without conflicting with this setting.

Potential concerns

• None identified. The change is minimal, correct, and well-scoped. There are no functional risks — the worst case is that a future maintainer might not immediately understand why the limit is 0, but the PR description and commit message provide sufficient context.

Verdict

Approve. This is a clean, correct configuration fix that reduces PR noise without sacrificing security coverage. No issues found.

[greptile-apps]

Greptile Summary

This PR suppresses noisy Dependabot version-bump PRs for the three pip ecosystems by setting open-pull-requests-limit: 0, and also adds a DCO assistant workflow. The open-pull-requests-limit: 0 approach is correct — it disables version updates only; GitHub security update PRs are a separate mechanism not governed by this key and will continue to fire when CVEs are detected.

Confidence Score: 5/5

Safe to merge — both changes are correct and follow documented patterns.

No P0 or P1 findings. open-pull-requests-limit: 0 correctly disables only version-update PRs; security update PRs are a separate GitHub feature unaffected by this key. The DCO workflow follows the standard pull_request_target + SHA-pinned pattern with appropriately scoped permissions.

No files require special attention.

Important Files Changed

Filename	Overview
.github/dependabot.yml	Adds open-pull-requests-limit: 0 to all three pip ecosystems, correctly disabling version-bump PRs while leaving security update PRs unaffected (security updates are a separate GitHub feature not governed by this key).
.github/workflows/dco-assistant.yml	New DCO assistant workflow using pull_request_target (standard pattern for DCO tools that need write permissions); action is pinned to a commit SHA; permissions are explicitly scoped; dependabot[bot] is allowlisted.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot weekly schedule fires] --> B{Update type?}
    B -->|Version update| C[open-pull-requests-limit: 0]
    C --> D[No PR opened ✓]
    B -->|Security advisory detected| E[GitHub Advisory Database]
    E --> F[Security update PR opened ✓]
    G[GitHub Actions ecosystem] --> H[SHA-pin bump PR opened weekly ✓]

Loading

_{Reviews (4): Last reviewed commit: "fix: align DCO assistant if-condition wi..." | Re-trigger Greptile}