[#302] Add Dependabot configuration for automated dependency updates

[thawzintoe-ptut]

#302

What happened 👀

Added Dependabot configuration to automate dependency updates for Gradle projects and GitHub Actions workflows.

Changes:

• Created .github/dependabot.yml with configuration for template-compose, sample-compose, and GitHub Actions
• Added .github/DEPENDABOT.md documentation guide
• Updated README.md with link to Dependabot documentation

Insight 📝

Dependabot automates dependency updates to keep libraries current and reduce security risks. The configuration groups related dependencies (like androidx, compose, kotlin, networking) to minimize PR noise - instead of getting 20 individual PRs, we get 7 grouped PRs per project.

Configuration details:

• Runs weekly on Mondays at 09:00 UTC
• Limits open PRs to 5 per Gradle directory and 3 for GitHub Actions
• Auto-assigns PRs to @nimblehq/android-team
• Uses [Chore] prefix to match team commit conventions
• Supports Gradle Version Catalogs natively

Proof Of Work 📹

✅ CI should pass the workflow

Summary by CodeRabbit

• Documentation

  • Added comprehensive dependency management guide documenting Dependabot usage, scheduling, and workflows.
  • Updated README with Dependency Management section and link to configuration guide.

• Chores

  • Configured automated weekly dependency updates for Gradle and GitHub Actions with designated reviewer assignments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces automated dependency management through Dependabot configuration. A new guide documents Dependabot usage for Gradle and GitHub Actions, while a configuration file specifies weekly update schedules, dependency grouping, and PR handling for template and sample projects. README is updated to reference the new dependency management process.

Changes

Cohort / File(s)	Summary
Dependabot Configuration \.github/DEPENDABOT.md`, `.github/dependabot.yml``	Added comprehensive Dependabot setup guide documenting package ecosystems (Gradle, GitHub Actions), scheduling (Mondays 09:00 UTC), dependency grouping by category (androidx, compose, kotlin, networking, etc.), PR limits, and management commands. Configuration targets template-compose and sample-compose directories with group-specific labels.
Documentation Update README.md	Added "Dependency Management" section referencing Dependabot usage for weekly Gradle and GitHub Actions updates, with link to the new configuration guide.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

\type : chore``

Suggested reviewers

• minhnimble
• luongvo
• hoangnguyen92dn
• chornerman
• ryan-conway

Poem

🐰 A config so neat, dependencies sweet,
Dependabot hops with automated feet,
Weekly updates, organized stacks,
Keep gradle and actions from falling through cracks!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main change: adding Dependabot configuration for automated dependency updates, which is reflected across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

🧹 Recent nitpick comments

.github/DEPENDABOT.md (2)

105-133: Add language specifiers to fenced code blocks for consistency.

The Dependabot command examples lack language specifiers. While not critical, adding text or shell would improve markdown linting compliance and editor rendering.

📝 Suggested fix

-```
+```text
 `@dependabot` ignore this major version
 `@dependabot` ignore this minor version
 `@dependabot` ignore this dependency

Apply similar changes to the `@dependabot rebase` and `@dependabot recreate` blocks.
</details>

---

`180-180`: **Consider using HTTPS for external link.**

The YAML Lint link uses HTTP. For security best practices, prefer HTTPS when available.


<details>
<summary>🔒 Suggested fix</summary>

```diff
-2. Validate YAML syntax: [YAML Lint](http://www.yamllint.com/)
+2. Validate YAML syntax: [YAML Lint](https://www.yamllint.com/)

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 80db41c and f5c7f07.

📒 Files selected for processing (3)

• .github/DEPENDABOT.md
• .github/dependabot.yml
• README.md

🧰 Additional context used

🪛 LanguageTool

README.md

[uncategorized] ~54-~54: The official name of this software platform is spelled with a capital “H”.
Context: ...gement This repository uses Dependabot to automatically keep de...

(GITHUB)

---

[uncategorized] ~56-~56: The official name of this software platform is spelled with a capital “H”.
Context: ... See the Dependabot Configuration Guide for details on how it wo...

(GITHUB)

.github/DEPENDABOT.md

[uncategorized] ~14-~14: The official name of this software platform is spelled with a capital “H”.
Context: ...| GitHub Actions | All workflows in .github/workflows/ | Weekly (Mondays, 09:00 UT...

(GITHUB)

---

[style] ~92-~92: Consider a different adjective to strengthen your wording.
Context: ...ing changes noted in changelog #### 🔍 Deep Review Required - AndroidX major updat...

(DEEP_PROFOUND)

---

[uncategorized] ~111-~111: The official name of this software platform is spelled with a capital “H”.
Context: ...t ignore this dependency Or add to `.github/dependabot.yml`: yaml ignore: - d...

(GITHUB)

🪛 markdownlint-cli2 (0.18.1)

.github/DEPENDABOT.md

28-28: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

38-38: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

42-42: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

46-46: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (6)

README.md (1)

52-56: LGTM!

The new Dependency Management section is well-placed and provides clear, concise information about Dependabot usage with appropriate links to the detailed configuration guide.

Note: The static analysis warnings about .github paths are false positives—the lowercase .github is the correct directory name on the filesystem.

.github/DEPENDABOT.md (1)

1-227: Well-structured and comprehensive documentation.

The guide covers all essential aspects: configuration overview, review workflows, management commands, and troubleshooting. The content accurately reflects the dependabot.yml configuration and provides practical guidance for the team.

.github/dependabot.yml (4)

93-134: Acknowledged: Group duplication is unavoidable.

The duplicated group configuration between template-compose and sample-compose is expected since Dependabot's YAML parser doesn't support YAML anchors. The comment on line 93 appropriately documents this.

---

136-155: LGTM!

The GitHub Actions configuration is well-structured with appropriate PR limits (3) and correct directory specification. The lack of grouping is acceptable since GitHub Actions updates are typically independent.

---

56-63: The *test* pattern in the testing group is appropriate for this repository. All dependencies matching this pattern (test-core-ktx, test-junit, test-kotlinx-coroutines-test, test-kotest-assertions-core, test-mockk, test-turbine, test-compose-ui, test-robolectric, test-rules) are legitimate test dependencies with no false positives.

---

1-5: No issues found. All Dependabot v2 configuration options used in the file are current and valid as of 2025. The configuration properly uses supported features including schedule options (interval, day, time, timezone), dependency grouping with pattern matching, labels, reviewers, commit message formatting, and pull request limits. The implementation follows Dependabot best practices.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

	12 Warnings
⚠️	Uh oh! Your project is under 80% coverage!
⚠️	template-compose/gradle/libs.versions.toml#L10 - A newer version of androidx.compose:compose-bom than 2025.02.00 is available: 2025.12.01
⚠️	template-compose/gradle/libs.versions.toml#L12 - A newer version of androidx.navigation:navigation-compose than 2.5.3 is available: 2.9.6
⚠️	template-compose/gradle/libs.versions.toml#L13 - A newer version of androidx.core:core-ktx than 1.15.0 is available: 1.17.0
⚠️	template-compose/gradle/libs.versions.toml#L14 - A newer version of androidx.datastore:datastore-preferences than 1.1.3 is available: 1.2.0
⚠️	template-compose/gradle/libs.versions.toml#L17 - A newer version of com.android.application than 8.8.2 is available: 8.13.2
⚠️	template-compose/gradle/libs.versions.toml#L17 - A newer version of com.android.library than 8.8.2 is available: 8.13.2
⚠️	template-compose/gradle/libs.versions.toml#L19 - A newer version of androidx.hilt:hilt-navigation-compose than 1.2.0 is available: 1.3.0
⚠️	template-compose/gradle/libs.versions.toml#L28 - A newer version of androidx.lifecycle:lifecycle-runtime-compose than 2.8.7 is available: 2.10.0
⚠️	template-compose/gradle/libs.versions.toml#L28 - A newer version of androidx.lifecycle:lifecycle-runtime-ktx than 2.8.7 is available: 2.10.0
⚠️	template-compose/gradle/libs.versions.toml#L35 - A newer version of androidx.security:security-crypto than 1.0.0 is available: 1.1.0
⚠️	template-compose/gradle/libs.versions.toml#L36 - A newer version of androidx.test:core-ktx than 1.6.1 is available: 1.7.0

Kover report for template-compose:

🧛 Template - Compose Unit Tests Code Coverage: 62.15%

Coverage of Modified Files:

File	Coverage

Modified Files Not Found In Coverage Report:

DEPENDABOT.md
README.md
dependabot.yml

Codebase cunningly covered by count Shroud 🧛

Generated by 🚫 Danger

[thawzintoe-ptut]

Sorry I will create this PR again after we discuss with team 🙏