Skip to content

Commit 9425787

Browse files
authored
Fix Dependabot configuration with correct directory paths (#11001)
1 parent f8eadcc commit 9425787

2 files changed

Lines changed: 99 additions & 12 deletions

File tree

.github/dependabot.yml

Lines changed: 34 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,36 @@
11
version: 2
22
updates:
3-
- package-ecosystem: npm
4-
directory: /.github/workflows
5-
schedule:
6-
interval: weekly
7-
- package-ecosystem: pip
8-
directory: /.github/workflows
9-
schedule:
10-
interval: weekly
11-
- package-ecosystem: gomod
12-
directory: /.github/workflows
13-
schedule:
14-
interval: weekly
3+
# Go modules - root directory
4+
- package-ecosystem: gomod
5+
directory: /
6+
schedule:
7+
interval: weekly
8+
open-pull-requests-limit: 10
9+
10+
# npm - documentation site
11+
- package-ecosystem: npm
12+
directory: /docs
13+
schedule:
14+
interval: weekly
15+
open-pull-requests-limit: 10
16+
17+
# npm - GitHub Actions setup scripts
18+
- package-ecosystem: npm
19+
directory: /actions/setup/js
20+
schedule:
21+
interval: weekly
22+
open-pull-requests-limit: 10
23+
24+
# npm - workflow dependencies
25+
- package-ecosystem: npm
26+
directory: /.github/workflows
27+
schedule:
28+
interval: weekly
29+
open-pull-requests-limit: 10
30+
31+
# Python - workflow dependencies
32+
- package-ecosystem: pip
33+
directory: /.github/workflows
34+
schedule:
35+
interval: weekly
36+
open-pull-requests-limit: 10

CONTRIBUTING.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -280,6 +280,71 @@ The project includes automated license compliance checking:
280280

281281
All dependencies are automatically scanned using Google's `go-licenses` tool in CI, which classifies licenses by type and identifies potential compliance issues. Note that `go-licenses` is not actively maintained, so we install it on-demand rather than as a regular build dependency.
282282

283+
## 🤖 Automated Dependency Updates (Dependabot)
284+
285+
This project uses GitHub Dependabot to automatically keep dependencies up-to-date with weekly security patches and version updates.
286+
287+
### What Dependabot Monitors
288+
289+
Dependabot is configured in `.github/dependabot.yml` to monitor:
290+
291+
1. **Go modules** (`/go.mod`) - Weekly updates for Go dependencies
292+
2. **npm packages** - Weekly updates for:
293+
- Documentation site (`/docs/package.json`)
294+
- GitHub Actions setup scripts (`/actions/setup/js/package.json`)
295+
- Workflow dependencies (`/.github/workflows/package.json`)
296+
3. **Python packages** (`/.github/workflows/requirements.txt`) - Weekly updates for workflow scripts
297+
298+
### Expected Behavior
299+
300+
- **Schedule**: Dependabot checks for updates **every Monday** (weekly interval)
301+
- **Pull Requests**: Creates automated PRs from `dependabot[bot]` for:
302+
- Security vulnerabilities (immediate)
303+
- Version updates (weekly batch)
304+
- **Limit**: Maximum of 10 open PRs per ecosystem to prevent overwhelming maintainers
305+
306+
### What to Expect from Dependabot PRs
307+
308+
Dependabot PRs will:
309+
- Have clear titles like "Bump lodash from 4.17.20 to 4.17.21 in /docs"
310+
- Include changelog links and release notes
311+
- Show compatibility score based on semantic versioning
312+
- Automatically rebase when the base branch changes
313+
314+
### Troubleshooting Dependabot
315+
316+
If Dependabot stops creating PRs:
317+
318+
1. **Check repository settings**: Go to Settings → Security → Dependabot
319+
- Ensure "Dependabot alerts" is enabled
320+
- Ensure "Dependabot security updates" is enabled
321+
- Ensure "Dependabot version updates" is enabled
322+
323+
2. **Verify configuration**: Check `.github/dependabot.yml` syntax
324+
- Directory paths must match locations of dependency files
325+
- Ecosystem names must be exact: `gomod`, `npm`, `pip`
326+
327+
3. **Check for rate limits**: Dependabot may be rate-limited if there are too many updates
328+
329+
4. **Manual trigger**: You can manually trigger Dependabot from repository Settings → Security → Dependabot
330+
331+
### Handling Dependabot PRs
332+
333+
When reviewing Dependabot PRs:
334+
335+
1. **Review the changes**: Check the changelog and compatibility score
336+
2. **Let CI run**: Wait for all GitHub Actions checks to pass
337+
3. **Test if needed**: For major version updates, test locally or let the agent verify
338+
4. **Merge quickly**: Security updates should be merged as soon as CI passes
339+
5. **Batch updates**: For minor version updates, you can merge multiple PRs at once
340+
341+
### Security Patches
342+
343+
Dependabot prioritizes security patches:
344+
- Security vulnerabilities are updated **immediately** (not weekly)
345+
- PRs are tagged with severity level (critical, high, medium, low)
346+
- Security PRs should be reviewed and merged within 24-48 hours
347+
283348
## 🧪 Testing
284349

285350
For comprehensive testing guidelines including assert vs require usage, table-driven test patterns, and best practices, see **[specs/testing.md](specs/testing.md)**.

0 commit comments

Comments
 (0)