Skip to content

chore(ci): enable Dependabot#435

Open
dimakis wants to merge 1 commit into
mainfrom
chore/enable-dependabot
Open

chore(ci): enable Dependabot#435
dimakis wants to merge 1 commit into
mainfrom
chore/enable-dependabot

Conversation

@dimakis

@dimakis dimakis commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Summary

  • Adds .github/dependabot.yml to enable automated dependency update PRs
  • Configures three ecosystems:
    • npm — weekly on Mondays, with minor+patch updates grouped into single PRs
    • Docker — weekly on Mondays for base image updates
    • GitHub Actions — weekly on Mondays for CI workflow action versions

Test plan

  • Verify Dependabot picks up the config after merge (check Settings > Dependabot in the repo)
  • Confirm first batch of PRs arrives on the next Monday

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@dimakis dimakis left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Centaur Review

Found 1 issue(s) (1 warning).

.github/dependabot.yml

Solid Dependabot config; one npm directory (mcp-server/) is outside the workspace and will be missed.

  • 🟡 bugs (L3): The mcp-server/ directory has its own package.json and package-lock.json outside the npm workspaces (root workspaces are packages/* and frontend). Dependabot's npm entry with directory: / will only scan the root lockfile and won't monitor mcp-server/ dependencies. Add a second npm ecosystem entry with directory: /mcp-server. [fixable]

Comment thread .github/dependabot.yml
@@ -0,0 +1,20 @@
version: 2
updates:
- package-ecosystem: npm

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 bugs: The mcp-server/ directory has its own package.json and package-lock.json outside the npm workspaces (root workspaces are packages/* and frontend). Dependabot's npm entry with directory: / will only scan the root lockfile and won't monitor mcp-server/ dependencies. Add a second npm ecosystem entry with directory: /mcp-server. [fixable]

@dimakis dimakis left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Centaur Review

Found 1 issue(s).

.github/dependabot.yml

Clean Dependabot config; minor gap: the standalone mcp-server/ package isn't covered by the root npm entry since it's not a workspace member.

  • 🔵 unsafe_assumptions (L3): The npm ecosystem entry uses directory: / which covers the root workspace, but this is an npm workspace monorepo with mcp-server/ having its own package.json outside the workspace config. Dependabot should handle workspace packages under packages/* and frontend/ automatically since they're declared in root workspaces, but mcp-server/ is not a workspace member — consider adding a separate npm entry with directory: /mcp-server so its dependencies also get updates. [fixable]

Comment thread .github/dependabot.yml
@@ -0,0 +1,20 @@
version: 2
updates:
- package-ecosystem: npm

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 unsafe_assumptions: The npm ecosystem entry uses directory: / which covers the root workspace, but this is an npm workspace monorepo with mcp-server/ having its own package.json outside the workspace config. Dependabot should handle workspace packages under packages/* and frontend/ automatically since they're declared in root workspaces, but mcp-server/ is not a workspace member — consider adding a separate npm entry with directory: /mcp-server so its dependencies also get updates. [fixable]

@dimakis dimakis left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Centaur Review

Found 2 issue(s).

.github/dependabot.yml

Clean Dependabot config; the docker ecosystem entry is inert (no Dockerfile exists — compose images need docker-compose ecosystem instead), and npm major bumps will arrive as individual PRs.

  • 🔵 unsafe_assumptions (L11): The docker ecosystem entry monitors Dockerfiles for base image updates, but this repo has no Dockerfile — it only uses pre-built images in docker-compose.yml (Jaeger, Loki, Grafana, MLflow). Dependabot's docker ecosystem won't update docker-compose.yml image tags; it only parses FROM directives in Dockerfiles. This entry is inert and can be removed to avoid confusion. If the intent is to track compose image versions, Dependabot added docker-compose ecosystem support — use package-ecosystem: docker-compose with directory: / instead. [fixable]
  • 🔵 style (L9): The npm grouping only covers minor and patch updates. Major version bumps will arrive as individual PRs (one per package), which could be noisy. Consider adding a separate major group or an open-pull-requests-limit to cap PR volume. [fixable]

Comment thread .github/dependabot.yml
groups:
minor-and-patch:
update-types: [minor, patch]
- package-ecosystem: docker

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 unsafe_assumptions: The docker ecosystem entry monitors Dockerfiles for base image updates, but this repo has no Dockerfile — it only uses pre-built images in docker-compose.yml (Jaeger, Loki, Grafana, MLflow). Dependabot's docker ecosystem won't update docker-compose.yml image tags; it only parses FROM directives in Dockerfiles. This entry is inert and can be removed to avoid confusion. If the intent is to track compose image versions, Dependabot added docker-compose ecosystem support — use package-ecosystem: docker-compose with directory: / instead. [fixable]

Comment thread .github/dependabot.yml
interval: weekly
day: monday
groups:
minor-and-patch:

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 style: The npm grouping only covers minor and patch updates. Major version bumps will arrive as individual PRs (one per package), which could be noisy. Consider adding a separate major group or an open-pull-requests-limit to cap PR volume. [fixable]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant