Skip to content

ci: add Dependabot configuration for automated dependency PRs #34

Description

@snowrugar-beep

Problem Statement

A manual dependency update workflow exists (infrastructure/ci/dependency-updates.yml) but there is no Dependabot configuration. Dependabot provides automated PRs for individual dependency updates with changelog links and compatibility scores.

Evidence

  • No .github/dependabot.yml file
  • Manual CI workflow exists for weekly updates

Impact

Dependency updates require manual CI trigger. Security patches for critical vulnerabilities may be delayed.

Proposed Solution

Create .github/dependabot.yml with package ecosystems: npm (Backend, Frontend, Analytics), cargo (Contracts). Configure weekly schedule, reviewer assignment, and labels.

Technical Requirements

  • Must cover all package ecosystems
  • Must assign appropriate reviewers
  • Must label with 'dependencies' and 'automation'

Acceptance Criteria

  1. Dependabot checks for updates weekly
  2. PRs are created with changelog and compatibility info
  3. PRs have correct labels
  4. No duplicate PRs with manual workflow

File Inventory

  • .github/dependabot.yml (new)

Dependencies

None.

Testing Strategy

  • Verify Dependabot appears in GitHub Insights > Dependency graph

Security Considerations

Automated dependency updates ensure security patches are applied promptly.

Definition of Done

  • dependabot.yml created
  • Config validated

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions