Skip to content

ci: add Dependabot configuration for pip and GitHub Actions#14

Merged
habanwer merged 1 commit intomainfrom
ci/dependabot
Mar 11, 2026
Merged

ci: add Dependabot configuration for pip and GitHub Actions#14
habanwer merged 1 commit intomainfrom
ci/dependabot

Conversation

@habanwer
Copy link
Member

@habanwer habanwer commented Mar 11, 2026

Dependabot Configuration

Automated dependency update PRs for two ecosystems.

Ecosystems Monitored

Ecosystem Schedule PR Limit Scope
pip Daily 10 requirements.txt
github-actions Weekly 5 .github/workflows/*.yml

Audit Summary

  • Zero supply-chain risk — Dependabot is a native GitHub feature, no third-party actions involved
  • Labels added for easy PR triage: \dependencies\ + ecosystem-specific (\python\ or \github-actions)
  • Open-PR limits prevent flooding the PR queue
  • Daily pip schedule appropriate for a security-focused tool — catches new CVEs within 24h
  • Weekly github-actions sufficient since action releases are less frequent

Interaction with Existing Workflows

Dependabot PRs will automatically trigger the full CI/CD suite (CodeQL, Semgrep, Bandit, Pip-Audit) on each dependency update PR, providing defense-in-depth validation before merge.

@habanwer
ci: add Dependabot configuration for pip and GitHub Actions
7e03fd6 
Automated dependency update PRs for two ecosystems:
- pip: daily checks against requirements.txt (max 10 open PRs)
- github-actions: weekly checks for workflow action versions (max 5 open PRs)

Audit notes:
- Zero risk — Dependabot is a native GitHub feature, no third-party actions
- Labels added for easy PR triage (dependencies + ecosystem-specific)
- Open-PR limits prevent Dependabot from flooding the PR queue
- Daily pip schedule is appropriate given the security focus of REDACTS
- Weekly github-actions schedule sufficient since actions update less often
Copilot AI review requested due to automatic review settings March 11, 2026 00:25
@habanwer habanwer merged commit 323a8a3 into main Mar 11, 2026
8 of 12 checks passed
@habanwer habanwer deleted the ci/dependabot branch March 11, 2026 00:25
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Dependabot configuration to automatically open dependency update PRs for the repository’s Python (pip) dependencies and GitHub Actions, aligning with the repo’s security/CI posture.

Changes:

  • Introduces .github/dependabot.yml with daily pip checks in repo root
  • Adds weekly GitHub Actions update checks
  • Applies consistent labeling and caps the number of concurrent Dependabot PRs per ecosystem

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/dependabot.yml
Comment on lines +10 to +12
# Python dependencies (requirements.txt)
- package-ecosystem: pip
directory: "/"
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment/PR description indicates this entry only targets requirements.txt, but Dependabot's pip ecosystem for directory: "/" will also pick up other pip manifests in the repo root (e.g., requirements-dev.txt). If the intent is truly to only update runtime deps, the config/comment/PR description should be adjusted to match the actual scope (or the dev requirements moved outside the monitored directory).

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@habanwer