Add Dependabot configuration for dependency updates

[rammrain]

Summary

• Add .github/dependabot.yml to automatically monitor and update dependencies
• Configure two ecosystems: Gradle (Java dependencies) and GitHub Actions (workflow action versions)
• Set weekly update schedule with dependencies label for Gradle and dependencies + ci labels for Actions
• Group minor/patch Gradle updates and all Actions updates to minimize PR noise

Closes #7

Test plan

• Verify Dependabot picks up the configuration on next scheduled run
• Confirm PRs are opened with correct labels and grouping

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Chores
  • Added automated dependency management configuration for Gradle and GitHub Actions updates.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added .github/dependabot.yml to configure GitHub Dependabot for automated dependency updates. Configures weekly updates for Gradle dependencies and GitHub Actions workflows with grouping strategies for minor and patch updates. Both are labelled dependencies.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Introduced Dependabot version 2 configuration defining weekly update schedules for Gradle and GitHub Actions ecosystems. Minor and patch updates are grouped to reduce PR volume. Labels applied for organisation and filtering.

Estimated Code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A configuration so neat,
Dependabot keeps us up to date!
Gradle and Actions on a schedule,
Grouped together, reducing hassle,
Dependencies managed with rabbit-approved care! 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely describes the main change: adding Dependabot configuration for dependency updates.
Linked Issues check	✅ Passed	The pull request implements all primary coding requirements from issue #7: adds .github/dependabot.yml, configures gradle and github-actions ecosystems, sets weekly schedule, groups minor/patch updates, applies labels, and configures grouping patterns.
Out of Scope Changes check	✅ Passed	The pull request contains only the .github/dependabot.yml configuration file, which is entirely in scope with issue #7 objectives; no extraneous changes are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch task-7

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rammrain]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[rammrain]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[rammrain]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[rammrain]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (3)

.github/dependabot.yml (3)

3-25: Optional: Consider adding reviewers or assignees.

The linked issue #7 mentions adding reviewers/assignees "as appropriate". If your team would benefit from automatic assignment of Dependabot PRs, consider adding the reviewers or assignees field to one or both ecosystem configurations.

This is entirely optional if you manage code review assignments through other means (e.g., CODEOWNERS or manual assignment).

📋 Example configuration with reviewers

  - package-ecosystem: "gradle"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "dependencies"
    reviewers:
      - "team-name"
      - "username"
    groups:
      minor-and-patch:
        update-types:
          - "minor"
          - "patch"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 3 - 25, Add optional automatic reviewers
or assignees to Dependabot configs by inserting a reviewers: or assignees: list
under the package-ecosystem entries (e.g., the package-ecosystem: "gradle"
and/or package-ecosystem: "github-actions" blocks); use your team or user
handles (for example "team-name" or "username") and ensure proper YAML
indentation to match the existing schedule/labels/groups structure so Dependabot
will auto-request reviews or assign PRs as desired.

---

3-13: Consider adding open-pull-requests-limit for better control.

The Gradle configuration is well-structured with appropriate grouping of minor and patch updates. However, consider explicitly setting open-pull-requests-limit to control the maximum number of concurrent Dependabot PRs (default is 5).

Note: Major version updates are intentionally excluded from grouping, which is a good safety practice as they may contain breaking changes.

⚙️ Suggested configuration addition

   - package-ecosystem: "gradle"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 5
     labels:
       - "dependencies"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 3 - 13, Add an explicit
open-pull-requests-limit setting to the Dependabot config to cap concurrent PRs;
modify the block that contains package-ecosystem: "gradle" and groups:
minor-and-patch by adding open-pull-requests-limit: <desired-number> (e.g., 5)
at the same indentation level as schedule and labels so Dependabot will enforce
the maximum concurrent PRs.

---

15-25: Consider adding open-pull-requests-limit for consistency.

The GitHub Actions grouping configuration is correctly configured. The wildcard pattern "*" is valid and will group all action updates into a single pull request, reducing dependency management overhead.

For consistency with other package ecosystems in the configuration, consider explicitly setting open-pull-requests-limit:

⚙️ Suggested configuration addition

   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 5
     labels:
       - "dependencies"
       - "ci"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 15 - 25, Add an explicit
open-pull-requests-limit to the GitHub Actions dependabot configuration so the
actions group (groups.actions / patterns: "*") won't open an unbounded number of
PRs; update the package-ecosystem block for "github-actions" to include
open-pull-requests-limit: 5 (or your preferred limit) directly under that
ecosystem's configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/dependabot.yml:
- Around line 3-25: Add optional automatic reviewers or assignees to Dependabot
configs by inserting a reviewers: or assignees: list under the package-ecosystem
entries (e.g., the package-ecosystem: "gradle" and/or package-ecosystem:
"github-actions" blocks); use your team or user handles (for example "team-name"
or "username") and ensure proper YAML indentation to match the existing
schedule/labels/groups structure so Dependabot will auto-request reviews or
assign PRs as desired.
- Around line 3-13: Add an explicit open-pull-requests-limit setting to the
Dependabot config to cap concurrent PRs; modify the block that contains
package-ecosystem: "gradle" and groups: minor-and-patch by adding
open-pull-requests-limit: <desired-number> (e.g., 5) at the same indentation
level as schedule and labels so Dependabot will enforce the maximum concurrent
PRs.
- Around line 15-25: Add an explicit open-pull-requests-limit to the GitHub
Actions dependabot configuration so the actions group (groups.actions /
patterns: "*") won't open an unbounded number of PRs; update the
package-ecosystem block for "github-actions" to include
open-pull-requests-limit: 5 (or your preferred limit) directly under that
ecosystem's configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 126b59a2-247d-4f19-9ca5-987c25b189c8

📥 Commits

Reviewing files that changed from the base of the PR and between e9e6092 and c0f43ba.

📒 Files selected for processing (1)

• .github/dependabot.yml