Updates to yaml and python script documentation. Remove auto-merge feature until after team review.

Author: jairmyree

.github/dependabot.yml

@@ -3,21 +3,23 @@
 # Please see the documentation for all configuration options:
 # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 
+# This configuration will enable Dependabot version updates for all of our SDKs. It combines with the GitHub Action
+# workflow /.github/workflows/dependabot-update-external-deps.yml to maintain continuity with external_dependencies.txt
 version: 2
 updates:
   - package-ecosystem: "maven" # See documentation for possible values
-    directories: 
-      - "/sdk/*"
+    directories:
+      - "/sdk/*" # All pom files in the sdk directory
     schedule:
       interval: "daily"
     reviewers: ["jairmyree"]
     open-pull-requests-limit: 10
-    ignore:
-        - dependency-name: "*" 
+    ignore: # any specific dependencies or upgrade tupes that should be excluded from version updates
+        - dependency-name: "*"
           update-types: ["version-update:semver-major"]
         - dependency-name: "org.apache.spark*"
         - dependency-name: "io.projectreactor*"
         - dependency-name: "com.fasterxml.jackson*"
         - dependency-name: "org.springframework*"
-        
-          
+
+

.github/workflows/dependabot-update-external-deps.yml

@@ -1,3 +1,8 @@
+# This workflow is triggered when a pull request is opened by Dependabot
+# This workflow will use metadata from Dependabot update to update external_dependencies.txt and update the dependency across all the SDKs
+# This workflow will auto-approve and merge the pull request if the update is a patch version or minor version update with a compatibility score of 80 or higher.
+
+# NOTE: The auto-approved and merge step is currently disabled.
 name: Dependabot Update External Dependencies
 on: pull_request
 
@@ -10,7 +15,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: github.event.pull_request.user.login == 'dependabot[bot]' 
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
     - name: Fetch Dependabot metadata
       id: dependabot-metadata
@@ -32,7 +37,7 @@ jobs:
       uses: actions/setup-python@v4
       with:
         python-version: '3.x'
-        
+
     - name: Adjust External Dependencies
       run: python eng/versioning/dependabot_update_external_dependencies.py --json '${{steps.dependabot-metadata.outputs.updated-dependencies-json}}'
 
@@ -50,12 +55,12 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Auto-Approve and Merge Pull Request
-      if: ${{ steps.dependabot-metadata.outputs.update-type  == 'version-update:semver-patch' || (steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' && steps.dependabot-metadata.outputs.compatibility-score >= 80)}}
-      run: |
-        gh pr review --approve "${{ github.event.pull_request.html_url }}"
-        gh pr merge "${{ github.event.pull_request.html_url }}" --auto --squash 
-      env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#    - name: Auto-Approve and Merge Pull Request
+#      if: ${{ steps.dependabot-metadata.outputs.update-type  == 'version-update:semver-patch' || (steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor' && steps.dependabot-metadata.outputs.compatibility-score >= 80)}}
+#      run: |
+#        gh pr review --approve "${{ github.event.pull_request.html_url }}"
+#        gh pr merge "${{ github.event.pull_request.html_url }}" --auto --squash
+#      env:
+#        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 

eng/versioning/dependabot_update_external_dependencies.py

@@ -2,7 +2,7 @@
 # Licensed under the MIT License.
 """
 This script updates external dependencies in the `external_dependencies.txt` file based on the provided JSON input.
-It also runs another script `update_versions.py` to update versions.
+It also runs another script `update_versions.py` to update upgraded dependencies across all SDKs.
 
 Usage:
     python dependabot_update_external_dependencies.py --json '<json_string>'