Code Review: PR #534 — fix: restrict Dependabot pip updates to security-only

Summary

This PR adds open-pull-requests-limit: 0 to the three pip ecosystem entries in .github/dependabot.yml. The goal is to suppress noisy weekly version-bump PRs for pip dependencies while preserving two key behaviors: (1) Dependabot security alerts can still open PRs for known CVEs, and (2) GitHub Actions weekly SHA-pin bumps (added in #517) continue unchanged.

Scope: 1 file changed, 3 lines added, 0 lines deleted.

Findings

Correctness

• open-pull-requests-limit: 0 is the right mechanism. Per GitHub's Dependabot documentation, this setting controls version update pull requests only. Security updates are handled by a separate subsystem (dependabot/security-updates) and are not subject to this limit. The PR description accurately describes this behavior.
• YAML placement is correct. The open-pull-requests-limit key is placed at the correct level within each ecosystem entry (sibling to schedule and commit-message), matching the Dependabot configuration schema.
• GitHub Actions entry intentionally untouched. The github-actions ecosystem has no open-pull-requests-limit set (defaults to 5), which is appropriate — SHA-pinned actions benefit from automated weekly bump PRs to stay current.

Consistency

• All three pip ecosystem entries (data-designer-config, data-designer-engine, data-designer) are updated identically. No entry is missed.
• The key ordering within each block (schedule → open-pull-requests-limit → commit-message) is consistent across all three entries.

Commit hygiene

• Single, focused commit with a clear conventional-commit message (fix: restrict Dependabot pip updates to security-only).
• The commit body provides good context on why the change is needed.

Minor observations

• schedule: interval: weekly is retained. Even with open-pull-requests-limit: 0, Dependabot will still run weekly checks for these ecosystems. This is fine — it ensures Dependabot's internal vulnerability database is consulted regularly, so security PRs can fire promptly when a CVE is published. No change needed.
• No registries or groups configuration. Not needed for this use case, but worth noting that if the team later wants grouped security updates (e.g., batching all CVE fixes into one PR), they can add groups without conflicting with this setting.

Potential concerns

• None identified. The change is minimal, correct, and well-scoped. There are no functional risks — the worst case is that a future maintainer might not immediately understand why the limit is 0, but the PR description and commit message provide sufficient context.

Verdict

Approve. This is a clean, correct configuration fix that reduces PR noise without sacrificing security coverage. No issues found.

Greptile Summary

This PR suppresses noisy Dependabot version-bump PRs for the three pip ecosystems by setting open-pull-requests-limit: 0, and also adds a DCO assistant workflow. The open-pull-requests-limit: 0 approach is correct — it disables version updates only; GitHub security update PRs are a separate mechanism not governed by this key and will continue to fire when CVEs are detected.

Important Files Changed

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot weekly schedule fires] --> B{Update type?}
    B -->|Version update| C[open-pull-requests-limit: 0]
    C --> D[No PR opened ✓]
    B -->|Security advisory detected| E[GitHub Advisory Database]
    E --> F[Security update PR opened ✓]
    G[GitHub Actions ecosystem] --> H[SHA-pin bump PR opened weekly ✓]

_{Reviews (4): Last reviewed commit: "fix: align DCO assistant if-condition wi..." | Re-trigger Greptile}