Enhance Dependabot config for multiple ecosystems#20
Conversation
Updated Dependabot configuration to include GitHub Actions, Cargo, and NPM with daily update schedules.
There was a problem hiding this comment.
Pull request overview
Adds a new Dependabot configuration intended to enable daily dependency update PRs across multiple ecosystems in this repo.
Changes:
- Introduces
.github/dependabot.ymlwith update entries for GitHub Actions, Cargo, and npm. - Configures daily schedules (03:00) for each ecosystem.
| directories: | ||
| - "/" | ||
| schedule: | ||
| interval: "daily" | ||
| time: "03:00" |
There was a problem hiding this comment.
The Cargo update config points to the repo root ("/") but this repository’s Cargo workspaces live under src/code-validator/guest/ and src/sandbox/runtime/; there is no Cargo.toml at "/". Dependabot will fail to run for Cargo unless the directory is updated to the actual workspace roots (and typically each workspace root is a separate update entry).
| directories: | |
| - "/" | |
| schedule: | |
| interval: "daily" | |
| time: "03:00" | |
| directory: "/src/code-validator/guest" | |
| schedule: | |
| interval: "daily" | |
| time: "03:00" | |
| - package-ecosystem: "cargo" | |
| directory: "/src/sandbox/runtime" | |
| schedule: | |
| interval: "daily" | |
| time: "03:00" |
| directories: | ||
| - "/" |
There was a problem hiding this comment.
The Cargo entry uses directories: (plural) while other entries use directory:. Dependabot’s v2 config uses directory per update; if you need to cover multiple Cargo workspaces, add multiple - package-ecosystem: cargo entries (one per workspace root) instead of directories to avoid the key being ignored / config validation failing.
| directories: | |
| - "/" | |
| directory: "/" |
| interval: "daily" | ||
| time: "03:00" | ||
| - package-ecosystem: "npm" | ||
| directory: "/src/js-host-api" |
There was a problem hiding this comment.
The npm update config points to directory: "/src/js-host-api", but there is no src/js-host-api directory in this repo (the root npm manifest is at /package.json, and @hyperlight/js-host-api is referenced as a file:deps/js-host-api dependency). This directory should be updated to the actual location(s) of package.json you want Dependabot to manage (e.g. / and possibly /src/code-validator/guest).
| directory: "/src/js-host-api" | |
| directory: "/" |
| updates: | ||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" | ||
| time: "03:00" | ||
| - package-ecosystem: "cargo" | ||
| directories: |
There was a problem hiding this comment.
There are trailing spaces after the updates: and directories: keys. YAML will still parse, but trimming avoids noise in future diffs and satisfies whitespace-focused linters/editors.
| updates: | |
| - package-ecosystem: "github-actions" | |
| directory: "/" | |
| schedule: | |
| interval: "daily" | |
| time: "03:00" | |
| - package-ecosystem: "cargo" | |
| directories: | |
| updates: | |
| - package-ecosystem: "github-actions" | |
| directory: "/" | |
| schedule: | |
| interval: "daily" | |
| time: "03:00" | |
| - package-ecosystem: "cargo" | |
| directories: |
Updated Dependabot configuration to include GitHub Actions, Cargo, and NPM with daily update schedules.