From 8b9b30a7b9c3ffe079005077ccb9e38ad60d01a1 Mon Sep 17 00:00:00 2001
From: "cmeans-claude-dev[bot]"
 <272174644+cmeans-claude-dev[bot]@users.noreply.github.com>
Date: Sun, 26 Apr 2026 13:00:45 -0500
Subject: [PATCH 1/3] chore: add dependabot version-update configuration

Adds .github/dependabot.yml tracking pip and github-actions
ecosystems on a weekly Monday 06:00 CT schedule, grouped per
ecosystem with chore(deps) commit prefix. Mirrors the config
shipped to cmeans/pypi-winnow-downloads but omits the docker
ecosystem since this repo has no Docker deployment.

Labels dependencies, python, and github-actions already exist
on the repo so PRs will be categorized on creation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 62 ++++++++++++++++++++++++++++++++++++++++++
 CHANGELOG.md           |  8 ++++++
 2 files changed, 70 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..20fcbbe
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,62 @@
+# Dependabot version-update configuration for mcp-clipboard.
+#
+# Two ecosystems are tracked:
+#   - pip:            runtime + dev dependencies declared in
+#                     pyproject.toml (also picks up uv.lock so bumps
+#                     stay reproducible)
+#   - github-actions: workflow files under .github/workflows/
+#                     (CI matrix, publish workflows, label automation)
+#
+# Schedule is weekly (Monday 06:00 America/Chicago) so PRs don't pile
+# up faster than they can be reviewed solo. Each ecosystem groups its
+# updates into a single PR per week to reduce notification noise.
+#
+# Labels named here are applied only if they already exist on the
+# repo; Dependabot does not auto-create labels. The label-automation
+# workflows handle the QA-flow labels separately.
+#
+# Docs:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Python deps: pyproject.toml + uv.lock at the repo root.
+  # Covers runtime (mcp[cli]) and dev extras (pytest, pytest-asyncio).
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    groups:
+      python:
+        patterns:
+          - "*"
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+
+  # GitHub Actions used by .github/workflows/*.yml.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8402046..56bc5d9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,14 @@ All notable changes to this project will be documented here.
 
 ## [Unreleased]
 
+### Added
+- Dependabot version-update configuration (`.github/dependabot.yml`)
+  for pip and github-actions ecosystems. Weekly schedule (Monday
+  06:00 America/Chicago), grouped per ecosystem to reduce noise,
+  with `chore(deps)` commit prefix. Labels `dependencies`, `python`,
+  and `github-actions` are pre-created on the repo so PRs are
+  categorized on creation.
+
 ### Changed
 - Add `workflow_dispatch:` trigger to `pr-labels-ci.yml` to restore
   template parity with `cmeans/yt-dont-recommend`. Gives maintainers a

From 23c1db9bf6c47797f51f14f7f8fd2306cd7f990d Mon Sep 17 00:00:00 2001
From: "cmeans-claude-dev[bot]"
 <272174644+cmeans-claude-dev[bot]@users.noreply.github.com>
Date: Sun, 26 Apr 2026 17:51:08 -0500
Subject: [PATCH 2/3] fix(dependabot): use bare chore prefix to avoid doubled
 (deps) scope

Per the dependabot-pr-hygiene playbook (awareness logical_key
dependabot-pr-hygiene-playbook): combining prefix: chore(deps) with
include: scope produces commit subjects like chore(deps)(deps): bump
foo because Dependabot auto-appends (deps) whenever include: scope is
set. The canonical pattern is bare prefix: chore plus include: scope,
which yields chore(deps): bump foo as intended.

Caught before any Dependabot PR opened against this repo.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml |  4 ++--
 CHANGELOG.md           | 11 +++++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 20fcbbe..3596406 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -38,7 +38,7 @@ updates:
       - "dependencies"
       - "python"
     commit-message:
-      prefix: "chore(deps)"
+      prefix: "chore"
       include: "scope"
 
   # GitHub Actions used by .github/workflows/*.yml.
@@ -58,5 +58,5 @@ updates:
       - "dependencies"
       - "github-actions"
     commit-message:
-      prefix: "chore(deps)"
+      prefix: "chore"
       include: "scope"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 56bc5d9..a1d56d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,10 +7,13 @@ All notable changes to this project will be documented here.
 ### Added
 - Dependabot version-update configuration (`.github/dependabot.yml`)
   for pip and github-actions ecosystems. Weekly schedule (Monday
-  06:00 America/Chicago), grouped per ecosystem to reduce noise,
-  with `chore(deps)` commit prefix. Labels `dependencies`, `python`,
-  and `github-actions` are pre-created on the repo so PRs are
-  categorized on creation.
+  06:00 America/Chicago), grouped per ecosystem to reduce noise.
+  Commit-message uses `prefix: chore` with `include: scope` so
+  Dependabot's auto-appended `(deps)` scope yields canonical
+  `chore(deps): bump <foo>` subjects (avoids the doubled-prefix
+  failure mode documented in the dependabot-pr-hygiene playbook).
+  Labels `dependencies`, `python`, and `github-actions` are
+  pre-created on the repo so PRs are categorized on creation.
 
 ### Changed
 - Add `workflow_dispatch:` trigger to `pr-labels-ci.yml` to restore

From f6ffdf5503d3c4214482826e29cd6d04c47d7c8d Mon Sep 17 00:00:00 2001
From: "cmeans-claude-dev[bot]"
 <272174644+cmeans-claude-dev[bot]@users.noreply.github.com>
Date: Sun, 26 Apr 2026 18:13:52 -0500
Subject: [PATCH 3/3] docs(dependabot): drop the dev-extras enumeration in pip
 ecosystem comment

Round-2 QA F2: the inline comment listed "pytest, pytest-asyncio" but
pyproject.toml's [project.optional-dependencies] dev has five entries
(pytest, pytest-asyncio, pytest-cov, ruff, mypy). Shortening to a
non-enumerating phrase that points at pyproject.toml as the source of
truth avoids future drift if dev extras change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3596406..967d7ed 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -21,7 +21,8 @@
 version: 2
 updates:
   # Python deps: pyproject.toml + uv.lock at the repo root.
-  # Covers runtime (mcp[cli]) and dev extras (pytest, pytest-asyncio).
+  # Covers runtime (mcp[cli]) and the dev extras declared in
+  # pyproject.toml.
   - package-ecosystem: "pip"
     directory: "/"
     schedule: