chore: add dependabot.yml (pip / github-actions / docker)#18
Closed
cmeans-claude-dev[bot] wants to merge 1 commit into
Closed
chore: add dependabot.yml (pip / github-actions / docker)#18cmeans-claude-dev[bot] wants to merge 1 commit into
cmeans-claude-dev[bot] wants to merge 1 commit into
Conversation
Tracks weekly updates across the three ecosystems this repo touches: - pip: runtime + dev deps in pyproject.toml (also picks up uv.lock so the version bumps stay reproducible). Covers PyYAML, pypinfo, and the dev extras (pytest, pytest-cov, ruff, mypy, types-PyYAML). - github-actions: workflow files under .github/workflows/ (CI matrix, publish workflows, label automation). - docker: deploy/docker/Dockerfile base image. Schedule is weekly (Monday 06:00 America/Chicago) to keep PR volume manageable for a solo project. Each ecosystem groups its updates into a single PR per week (instead of one PR per dep) so notification noise stays low. Labels (dependencies + per-ecosystem qualifier) are applied only if they already exist on the repo; Dependabot does not auto-create labels. CHANGELOG entry omitted — repo infrastructure, not user-visible.
github-actions
Bot
added
the
Awaiting CI
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
github-actions
Bot
added
Ready for QA
Contributor
Author
|
Closing — CreateEvent leak under v1 bot-push design (first push of Replaced by #21 with the v2 bot-push design active (CreateEvent now attributes to Background: cmeans/claude-dev#4 deployed v2. |
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the GitHub starter skeleton with a real Dependabot config tailored to this repo. Tracks weekly version updates across the three ecosystems present in tree:
pipat/—pyproject.toml+uv.lock(PyYAML, pypinfo, and the dev extras: pytest, pytest-cov, ruff, mypy, types-PyYAML).github-actionsat/— workflow files under.github/workflows/(CI matrix, publish workflows, label automation).dockerat/deploy/docker— Dockerfile base image for the optional containerized deployment shape.Schedule is weekly, Monday 06:00 America/Chicago — keeps PR volume manageable for a solo project. Each ecosystem groups its updates into a single weekly PR (instead of one PR per dep) to keep notification noise down.
Labels (
dependenciesplus a per-ecosystem qualifier) are applied only if those labels already exist; Dependabot does not auto-create labels. The label-automation workflows continue to drive the QA-flow labels separately.CHANGELOG entry omitted — repo infrastructure, not a user-visible product change (consistent with how PR #17's community-health files are landing).
Test plan
Settings → Code security and analysis → Dependabotshows version updates as enabled.Insights → Dependency graph → Dependabotand check each shows last-updated timestamps.dependencies/python/github-actions/dockeraren't yet defined, the missing labels are silently skipped — this is expected and not a regression).chore(deps)prefix.