chore(deps): setup dependabot for critical dependencies #13244
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: rvagg <[email protected]>
Copilot
AI
changed the title
Copilot finished work on behalf of
rvagg
August 5, 2025 05:31
rvagg
reviewed
Aug 5, 2025
Co-authored-by: rvagg <[email protected]>
rvagg
reviewed
Aug 5, 2025
Copilot
AI
changed the title
Copilot finished work on behalf of
rvagg
August 5, 2025 05:35
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Please update the PR title to match https://github.com/filecoin-project/lotus/blob/master/CONTRIBUTING.md#pr-title-conventions
There was a problem hiding this comment.
Pull Request Overview
This PR introduces Dependabot configuration to automate monitoring of critical dependencies in the Lotus repository, addressing technical debt issues by providing early signals for dependency updates.
- Configures monthly monitoring of critical Go dependencies grouped into 6 logical categories
- Covers all dependencies specified in issue #13232 including specs-actors, go-state-types, boxo, and go-libp2p
- Sets up automated PR creation with proper reviewers and labels to streamline the update process
rvagg
approved these changes
Aug 5, 2025
rvagg
changed the title
github-actions
bot
dismissed
their stale review
PR title now matches the required format.
Copilot finished work on behalf of
rvagg
August 5, 2025 05:38
|
Copilot's self-review is confused, it says to both include it and don't include it, so I'm going to err on the side of accepting both. I don't expect specs-actors to ever trigger this but you never know. |
rjan90
approved these changes
Aug 5, 2025
github-project-automation
bot
moved this from ⌨️ In Progress
to ✔️ Approved by reviewer
in FilOz
BigLep
requested changes
Aug 12, 2025
github-project-automation
bot
moved this from ✔️ Approved by reviewer
to ⌨️ In Progress
in FilOz
- Replace explicit filecoin-project package patterns with single wildcard - Remove redundant ipfs/boxo and libp2p/go-libp2p explicit patterns - Remove "automated" label that doesn't exist in the repo Co-authored-by: BigLep <[email protected]>
Copilot finished work on behalf of
BigLep
August 12, 2025 03:32
BigLep
approved these changes
Aug 12, 2025
github-project-automation
bot
moved this from 🔎 Awaiting Review
to ✔️ Approved by reviewer
in FilOz
github-project-automation
bot
moved this from ✔️ Approved by reviewer
to 🎉 Done
in FilOz
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements dependabot configuration to proactively monitor critical dependencies in the Lotus repository, addressing the technical debt issues described in #13232.
What this adds
A new
.github/dependabot.ymlconfiguration that:github.com/filecoin-project/*dependencies (including specs-actors with all versioned variants)github.com/ipfs/*,github.com/libp2p/*, andgithub.com/multiformats/*dependenciesThe configuration uses clean wildcard patterns for maximum coverage while maintaining organized groupings for easier review.
Why this helps
This addresses the core problem where "tasks requiring a dependency update can mushroom with unexpected work" by providing early signals when updates are available for our most critical dependencies. The monthly schedule keeps notifications manageable while ensuring we don't fall too far behind on important updates.
The configuration complements the existing
dependency-check.ymlworkflow and follows the pragmatic approach requested - focusing on the most beneficial dependencies rather than blanket monitoring everything.Fixes #13232.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.