[CI] Add uv package ecosystem to dependabot

jbampton · jbampton · commit 72095fdb3615 · 2026-05-28T01:26:07.000+10:00
https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories Add the `uv.lock` file to Git * **Reproducibility**: It pins every dependency to an exact version and content hash, eliminating the "it works on my machine" problem. * **Deterministic CI/CD**: You can use `uv sync --locked` in your automated pipelines to guarantee the environment is identical to the one you tested locally. * **Cross-Platform Resolution**: By default, `uv.lock` is designed to be universal and platform-agnostic, making it safe to share across different operating systems. * **Security**: Tools like Dependabot can scan the lockfile to detect vulnerable dependencies.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -52,3 +52,15 @@ updates:
           - '*'
     cooldown:
       default-days: 7
+
+  - package-ecosystem: uv
+    directory: /
+    open-pull-requests-limit: 2
+    schedule:
+      interval: monthly
+    groups:
+      uv-dependencies:
+        patterns:
+          - '*'
+    cooldown:
+      default-days: 7
diff --git a/.gitignore b/.gitignore
@@ -54,5 +54,4 @@ target
 # Ignore node_modules in docs-overrides
 docs-overrides/node_modules/
 
-uv.lock
 .env
diff --git a/uv.lock b/uv.lock
