chore: configure dependabot for all ecosystems

Skeptic-systems · Skeptic-systems · commit 9b9fd9475cdc · 2026-01-03T19:53:34.000+01:00
- Added .github/dependabot.yml with daily updates at 04:00 CET
- Configured npm ecosystem for pnpm monorepo at root directory
- Configured cargo ecosystem for Rust/Tauri at apps/desktop/src-tauri
- Configured github-actions ecosystem for workflow automation
- Configured docker ecosystem for apps/docs and apps/www containers
- Added dependency grouping to reduce PR noise (tauri, react, ai-sdk, etc.)
- Updated README with Dependabot enablement instructions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,207 @@
+# Dependabot configuration for MiniFy monorepo
+# Docs: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+
+updates:
+  # ============================================================================
+  # NPM (pnpm monorepo) - Root directory
+  # Covers: root, apps/desktop, apps/docs, apps/www via single lockfile
+  # ============================================================================
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 20
+    rebase-strategy: "auto"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "deps"
+      prefix-development: "deps(dev)"
+    groups:
+      npm-tauri:
+        patterns:
+          - "@tauri-apps/*"
+          - "tauri-*"
+      npm-react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react"
+          - "@types/react-dom"
+      npm-ai-sdk:
+        patterns:
+          - "ai"
+          - "@ai-sdk/*"
+      npm-radix:
+        patterns:
+          - "@radix-ui/*"
+      npm-astro-starlight:
+        patterns:
+          - "astro"
+          - "@astrojs/*"
+      npm-next:
+        patterns:
+          - "next"
+          - "next-*"
+      npm-tailwind:
+        patterns:
+          - "tailwindcss"
+          - "@tailwindcss/*"
+          - "tailwind-*"
+          - "tailwindcss-*"
+          - "tw-*"
+      npm-vite:
+        patterns:
+          - "vite"
+          - "@vitejs/*"
+      npm-typescript:
+        patterns:
+          - "typescript"
+          - "@types/*"
+      npm-tooling:
+        patterns:
+          - "@biomejs/*"
+          - "turbo"
+          - "@turbo/*"
+          - "lefthook"
+          - "@changesets/*"
+      npm-runtime-misc:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "@tauri-apps/*"
+          - "tauri-*"
+          - "react"
+          - "react-dom"
+          - "@types/react"
+          - "@types/react-dom"
+          - "ai"
+          - "@ai-sdk/*"
+          - "@radix-ui/*"
+          - "astro"
+          - "@astrojs/*"
+          - "next"
+          - "next-*"
+          - "tailwindcss"
+          - "@tailwindcss/*"
+          - "tailwind-*"
+          - "tailwindcss-*"
+          - "tw-*"
+          - "vite"
+          - "@vitejs/*"
+          - "typescript"
+          - "@types/*"
+          - "@biomejs/*"
+          - "turbo"
+          - "@turbo/*"
+          - "lefthook"
+          - "@changesets/*"
+
+  # ============================================================================
+  # Cargo (Rust/Tauri) - Desktop app backend
+  # ============================================================================
+  - package-ecosystem: "cargo"
+    directory: "/apps/desktop/src-tauri"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 20
+    rebase-strategy: "auto"
+    labels:
+      - "dependencies"
+      - "rust"
+    commit-message:
+      prefix: "deps(rust)"
+    groups:
+      cargo-tauri:
+        patterns:
+          - "tauri"
+          - "tauri-*"
+      cargo-serde:
+        patterns:
+          - "serde"
+          - "serde_*"
+      cargo-async:
+        patterns:
+          - "tokio"
+          - "axum"
+          - "reqwest"
+      cargo-misc:
+        patterns:
+          - "*"
+        exclude-patterns:
+          - "tauri"
+          - "tauri-*"
+          - "serde"
+          - "serde_*"
+          - "tokio"
+          - "axum"
+          - "reqwest"
+
+  # ============================================================================
+  # GitHub Actions - Workflow automation
+  # ============================================================================
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 10
+    rebase-strategy: "auto"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "deps(actions)"
+    groups:
+      actions-all:
+        patterns:
+          - "*"
+
+  # ============================================================================
+  # Docker - Docs container
+  # ============================================================================
+  - package-ecosystem: "docker"
+    directory: "/apps/docs"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 5
+    rebase-strategy: "auto"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "deps(docker)"
+    groups:
+      docker-docs:
+        patterns:
+          - "*"
+
+  # ============================================================================
+  # Docker - WWW container
+  # ============================================================================
+  - package-ecosystem: "docker"
+    directory: "/apps/www"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 5
+    rebase-strategy: "auto"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "deps(docker)"
+    groups:
+      docker-www:
+        patterns:
+          - "*"
diff --git a/README.md b/README.md
@@ -242,5 +242,25 @@ This includes Spotify tokens and AI API keys. No credentials are stored in plain
 | 📋 Roadmap | [Project Board](https://github.com/orgs/ModioStudio/projects/2) |
 | 💬 Discord | [discord.gg/haNyuz2zQ5](https://discord.gg/haNyuz2zQ5) |
 
+## Dependency Management
+
+This project uses [Dependabot](https://docs.github.com/en/code-security/dependabot) to keep dependencies up-to-date automatically.
+
+### Enable Dependabot (Repository Admins)
+
+1. **Dependency Graph** — Go to **Settings → Security → Code security** and enable "Dependency graph"
+2. **Dependabot Alerts** — Enable "Dependabot alerts" for security vulnerability notifications
+3. **Dependabot Security Updates** — Enable "Dependabot security updates" for automatic security PRs
+4. **Dependabot Version Updates** — Already configured via `.github/dependabot.yml`, runs daily at 04:00 CET
+
+### Covered Ecosystems
+
+| Ecosystem | Directory | Description |
+|-----------|-----------|-------------|
+| npm | `/` | pnpm monorepo (all JS/TS packages) |
+| cargo | `/apps/desktop/src-tauri` | Rust/Tauri dependencies |
+| github-actions | `/` | GitHub Actions workflows |
+| docker | `/apps/docs`, `/apps/www` | Docker base images |
+
 ## License
 Licensed under the MIT License. See `LICENSE` for details.
