feat(deps): add Dependabot configuration for automated dependency mangement (#4)

* feat(deps): add Dependabot configuration for automated dependency management

- Add .github/dependabot.yml with weekly updates for NuGet, GitHub Actions, and Docker
- Configure 14-day cooldown periods and pull request limits to prevent spam
- Set up conventional commit message prefixes and automatic reviewer assignment
- Update documentation in README.md, CHANGELOG.md, and ci-cd-workflows.md
- Integrate Dependabot PRs with existing CI/CD pipeline for automated testing

* Update CHANGELOG.md

Co-authored-by: Copilot <[email protected]>

---------

Co-authored-by: jakubmackowski <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

.github/dependabot.yml

@@ -0,0 +1,54 @@
+version: 2
+updates:
+  # NuGet dependencies (.NET packages)
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 14
+    open-pull-requests-limit: 10
+    reviewers:
+      - "mackowski"
+    labels:
+      - "dependencies"
+      - "nuget"
+    commit-message:
+      prefix: "chore(nuget)"
+      include: "scope"
+    pull-request-branch-name:
+      separator: "-"
+
+  # GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 14
+    open-pull-requests-limit: 5
+    reviewers:
+      - "mackowski"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(github-actions)"
+      include: "scope"
+
+  # Docker dependencies (for docker-compose.yml)
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 14
+    open-pull-requests-limit: 5
+    reviewers:
+      - "mackowski"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(docker)"
+      include: "scope"

CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 ## 1.8
 
 ### Added
+- **Dependabot Configuration**: Automated dependency update management
+  - Created `.github/dependabot.yml` for automated dependency updates
+  - Configures weekly updates for NuGet packages (.NET), GitHub Actions, and Docker dependencies
+  - Includes cooldown periods (14 days) to prevent update spam
+  - Automatically creates pull requests with conventional commit message prefixes
+  - Assigns reviewers and applies appropriate labels for dependency updates
+  - Limits concurrent open pull requests (10 for NuGet, 5 for GitHub Actions and Docker)
 - **Local Workflow Testing Script**: Script to replicate CI/CD pipeline locally
   - Created `test-workflow-local.sh` to execute the same test sequence as GitHub Actions
   - Runs linting, unit tests, component tests, integration tests, and contract tests
@@ -31,6 +38,8 @@ All notable changes to this project will be documented in this file.
   - Updated `README.md` with local workflow testing script documentation
   - Enhanced `docs/ci-cd-workflows.md` with local workflow execution guide
   - Updated `docs/testing-integration-tests.md` with SSL certificate handling details
+  - Updated `README.md` with Dependabot dependency management information
+  - Enhanced `docs/ci-cd-workflows.md` with Dependabot integration details
 
 ## 1.7
 

README.md

@@ -16,9 +16,10 @@ A GitHub App to automate the enforcement of organizational policies and security
   - [Prerequisites](#prerequisites)
   - [Installation](#installation)
 - [Configuration](#configuration)
-- [Project Scope](#project-scope)
+- [Testing](#testing)
+- [Dependency Management](#dependency-management)
 - [Documentation](#documentation)
-- [Project Status](#project-status)
+- [Project Scope](#project-scope)
 - [License](#license)
 
 ---
@@ -380,6 +381,41 @@ For more details, see **[Testing Strategy](./docs/testing-strategy.md)** and **[
 
 ---
 
+## Dependency Management
+
+The project uses [Dependabot](https://docs.github.com/en/code-security/dependabot) to automatically keep dependencies up to date.
+
+### Automated Dependency Updates
+
+Dependabot is configured via `.github/dependabot.yml` and monitors the following:
+
+- **NuGet Packages** (.NET): Weekly updates with conventional commit prefixes (`chore(nuget)`)
+- **GitHub Actions**: Weekly updates for workflow action versions (`chore(github-actions)`)
+- **Docker Dependencies**: Weekly updates for Docker images in `docker-compose.yml` (`chore(docker)`)
+
+### Configuration Details
+
+- **Update Schedule**: Weekly checks
+- **Cooldown Period**: 14 days to prevent update spam and malware
+- **Pull Request Limits**: 
+  - NuGet: Up to 10 concurrent PRs
+  - GitHub Actions: Up to 5 concurrent PRs
+  - Docker: Up to 5 concurrent PRs
+- **Commit Messages**: Follow conventional commit format with scoped prefixes
+- **Reviewers**: Pull requests are automatically assigned for review
+- **Labels**: Automatic labeling (`dependencies`, `nuget`, `github-actions`, `docker`)
+
+### Managing Updates
+
+Dependabot pull requests automatically run through the same CI/CD pipeline as regular pull requests, including:
+- Code formatting checks
+- Unit, component, integration, and contract tests
+- Code coverage reporting
+
+You can review and merge these updates through the standard pull request process.
+
+---
+
 ## Documentation
 
 Detailed documentation for specific features and integrations:

docs/ci-cd-workflows.md

@@ -4,6 +4,8 @@
 
 The project uses GitHub Actions for continuous integration and continuous deployment. The main workflow runs on pull requests to ensure code quality, test coverage, and compliance before code is merged.
 
+In addition to the pull request workflow, the project uses [Dependabot](https://docs.github.com/en/code-security/dependabot) to automatically manage dependency updates. Dependabot pull requests go through the same CI/CD pipeline as regular pull requests, ensuring all updates are tested before merging.
+
 ## Pull Request Workflow
 
 The **Pull Request** workflow (`.github/workflows/pull-request.yml`) is triggered automatically on pull requests to `main` or `develop` branches. It performs checks including code linting, multi-level testing, code coverage reporting, and automatic PR status comments.
@@ -283,6 +285,55 @@ dotnet test \
   --logger "console;verbosity=detailed"
 ```
 
+## Dependabot Integration
+
+The project uses GitHub Dependabot for automated dependency management, configured via `.github/dependabot.yml`.
+
+### Configuration
+
+Dependabot monitors three package ecosystems:
+
+1. **NuGet Packages** (.NET dependencies)
+   - Weekly update checks
+   - Up to 10 concurrent pull requests
+   - Commit message prefix: `chore(nuget)`
+   - Labels: `dependencies`, `nuget`
+
+2. **GitHub Actions** (workflow action versions)
+   - Weekly update checks
+   - Up to 5 concurrent pull requests
+   - Commit message prefix: `chore(github-actions)`
+   - Labels: `dependencies`, `github-actions`
+
+3. **Docker Dependencies** (container images)
+   - Weekly update checks
+   - Up to 5 concurrent pull requests
+   - Commit message prefix: `chore(docker)`
+   - Labels: `dependencies`, `docker`
+
+### Update Behavior
+
+- **Cooldown Period**: 14 days between updates for the same dependency to prevent excessive PRs
+- **Automatic Review Assignment**: Pull requests are automatically assigned to designated reviewers
+- **Conventional Commits**: All dependency updates follow the conventional commit format for consistency
+- **CI/CD Integration**: Dependabot PRs automatically trigger the pull request workflow, running all linting, tests, and coverage checks
+
+### Managing Dependabot PRs
+
+1. **Review**: Each PR includes a changelog and release notes when available
+2. **Test**: All PRs run through the full CI/CD pipeline automatically
+3. **Merge**: Once approved and tests pass, merge using standard GitHub PR workflow
+4. **Bulk Operations**: Use GitHub's "Merge" or "Rebase and merge" options for multiple dependency updates
+
+### Best Practices
+
+- **Regular Reviews**: Review and merge Dependabot PRs regularly to stay current with security patches and features
+- **Batch Updates**: Consider batching multiple minor/patch updates together when possible
+- **Test Coverage**: All dependency updates are automatically tested, but manual verification is recommended for major version updates
+- **Security Updates**: Prioritize security-related dependency updates (Dependabot will label these accordingly)
+
+For more information, see the [Dependabot documentation](https://docs.github.com/en/code-security/dependabot).
+
 ## Troubleshooting
 
 ### Workflow Failures