chore: add dependabot.yml (pip / github-actions / docker)#21
Merged
Conversation
5 tasks
github-actions
Bot
added
Awaiting CI
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
cmeans
added
QA Active
cmeans
reviewed
Apr 26, 2026
cmeans
left a comment
cmeans
left a comment
Owner
There was a problem hiding this comment.
QA round 1 (v2 branch) — clean
Tree-equality check: git diff chore/dependabot-config chore/dependabot-config-v2-qa is empty. v2 is bit-identical to v1 head e76896e; only the CreateEvent attribution differs.
Static verification on head 955ac5c:
| Check | Result |
|---|---|
YAML parses (yaml.safe_load) |
OK — version: 2, three ecosystems |
| Ecosystem coverage | complete — no other manifests in tree (requirements.txt/Pipfile/package.json/etc.) and no composite actions under .github/actions/ |
pip directory / |
pyproject.toml + uv.lock present |
github-actions directory / |
.github/workflows/ has 6 files (ci, pr-labels, pr-labels-ci, publish, test-publish, qa-gate) |
docker directory /deploy/docker |
Dockerfile present (two FROM python:3.13-slim stages — same image, one weekly PR even without an explicit groups: block, so the omission is fine) |
| Schedule (all 3 ecosystems) | weekly Monday 06:00 America/Chicago — matches PR body |
commit-message.prefix |
chore(deps) on all three — matches PR body item 5 |
groups: "*" on pip + github-actions |
will fold per-ecosystem updates into one weekly PR each, as advertised |
| CI on PR head | all SUCCESS (test 3.11/3.12/3.13, lint, typecheck, on-push, qa-approved) |
Label state on the repo (verified via gh label list): dependencies ✅ exists; python, github-actions, docker ❌ missing. Dependabot will silently skip the missing per-ecosystem qualifiers — exactly the behavior the PR body and test-plan item 4 explicitly call "expected and not a regression." Not a finding; just confirming the runtime state matches the documented assumption. Creating the three remaining labels is already on the maintainer's repo-setup follow-up list.
Test-plan checkboxes: all five items are post-merge runtime checks (Dependabot PR generation, Insights/Dependency-graph rendering, first-week PR labels, generated commit messages). None are tickable pre-merge — leaving all five unchecked for the maintainer.
No findings. Transitioning label to Ready for QA Signoff.
Owner
|
Applying |
cmeans
added
Ready for QA Signoff
8 tasks
cmeans
added
QA Approved
Tracks weekly updates across the three ecosystems this repo touches: - pip: runtime + dev deps in pyproject.toml (also picks up uv.lock so the version bumps stay reproducible). Covers PyYAML, pypinfo, and the dev extras (pytest, pytest-cov, ruff, mypy, types-PyYAML). - github-actions: workflow files under .github/workflows/ (CI matrix, publish workflows, label automation). - docker: deploy/docker/Dockerfile base image. Schedule is weekly (Monday 06:00 America/Chicago) to keep PR volume manageable for a solo project. Each ecosystem groups its updates into a single PR per week (instead of one PR per dep) so notification noise stays low. Labels (dependencies + per-ecosystem qualifier) are applied only if they already exist on the repo; Dependabot does not auto-create labels. CHANGELOG entry omitted — repo infrastructure, not user-visible.
cmeans-claude-dev
Bot
force-pushed
the
chore/dependabot-config-v2
branch
from
955ac5c to
145a2b0
Compare
github-actions
Bot
added
Awaiting CI
6 tasks
cmeans-claude-dev Bot
added a commit
to cmeans/mcp-synology
that referenced
this pull request
Apr 26, 2026
Adds .github/dependabot.yml so Dependabot can open weekly version- update PRs for outdated dependencies. Two ecosystems tracked: - pip: runtime + [dev] + [vdsm] extras from pyproject.toml; uv.lock at the repo root keeps Dependabot's lockfile bumps reproducible. - github-actions: every workflow file under .github/workflows/ (ci, vdsm, publish, test-publish, qa-gate, pr-labels, pr-labels-ci, dependabot-changelog) plus the local composite action at .github/actions/install-mcp-publisher. Schedule weekly Monday 06:00 America/Chicago, single grouped PR per ecosystem. Labels `dependencies` + ecosystem-tag (`python` / `github-actions`) — all three labels created on the repo so Dependabot doesn't silently skip them. Commit subjects render as `chore(deps): bump <pkg>` via `prefix: "chore"` + `include: "scope"` (Dependabot auto-appends the (deps) scope; specifying chore(deps) explicitly in the prefix would double it to chore(deps)(deps), which is the bug we caught in QA round 3 — same misconfig is still live on cmeans/pypi-winnow-downloads and worth fixing there as a follow-up). No `docker` ecosystem because mcp-synology has no Dockerfile. Repo-side switches (Dependabot alerts, security updates, secret scanning, private vulnerability reporting) are already on; this PR fills in the version-update config that the GitHub-side switches don't cover. Once merged, Dependabot version-update PRs benefit from the auto-CHANGELOG workflow shipped in #58. Pattern ported from cmeans/pypi-winnow-downloads#21 with the doubled-scope commit-prefix bug fixed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
cmeans-claude-dev Bot
added a commit
that referenced
this pull request
Apr 27, 2026
Three mechanical edits: - pyproject.toml: version "0.1.0" -> "0.1.1" - CHANGELOG.md: insert `## [0.1.1] - 2026-04-26` directly under the (still empty) `## [Unreleased]` header so all 12 PRs' worth of bullets that have been accumulating since v0.1.0 ship are now categorized under the 0.1.1 release. Updated the link refs at the bottom: [Unreleased] now compares from v0.1.1, and a new [0.1.1] entry compares v0.1.0...v0.1.1. - uv.lock: refreshed by `uv lock` so the locked pypi-winnow-downloads version (0.1.1) matches pyproject.toml. What ships in v0.1.1 (highlights — full changelog under ## [0.1.1]): Library fixes (operator-visible): - collector: _write_health OSError no longer escapes per-package isolation. Disk-full / perm errors now produce structured `winnow-collect: ...; health file write failed: [Errno 28] No space left on device` exit instead of a raw traceback. Closes #32. - collector: stale_threshold_days is now actually consulted — the "warn if previous run is older than N days" feature documented in config.example.yaml since v0.1.0 finally fires. Log-only per the documented v1 contract; degrades silently on first-run / unreadable / malformed / future- timestamped previous _health.json. Closes #33. Documentation: - README acknowledgments / license / BigQuery dataset link refresh (PR #15) - README shields.io URL canonicalization (PR #27, closes #16) - deploy/README.md Tailscale Funnel as alternative HTTPS exposure (PR #22) - deploy/README.md "Pick an approach" table updated to reflect the new Caddy logging shape (in PR #30) CI / project infrastructure (no PyPI consumer impact, but hardens future releases): - Community health files: CONTRIBUTING / CoC / SECURITY / issue templates (PR #20) - .github/dependabot.yml across pip + github-actions + docker ecosystems (PR #21) - Dependabot PR hygiene cascade from cmeans/mcp-synology: PULL_REQUEST_TEMPLATE.md + auto-CHANGELOG workflow (App- token authenticated so required CI re-fires on the bot's HEAD SHA) + dependabot.yml prefix fix (PR #25). Validated end-to-end via the first two real Dependabot bumps PR #23 (codecov-action 5->6) and PR #24 (python 3.13-slim -> 3.14-slim). - deploy-smoke CI job that builds the Dockerfile, smokes the entrypoint, validates compose+Caddyfile against caddy:2 (PR #29, closes #7). Promoted to required status check on the main-protection ruleset 2026-04-26 22:43 (issue #31 closed via operator action). - deploy/caddy/Caddyfile.example gains global error logger + per-site access logger with built-in lumberjack rotation, documents the validate-as-root gotcha (PR #30). Live CT 112 deployment fixed in the same change. - 100% coverage on src/ via real tests (no `# pragma: no cover`), with `fail_under = 100` gate in pyproject.toml so future regressions trip CI (PR #38, closes #37). Verified locally: 71/71 pytest pass, ruff/format/mypy clean, coverage gate green at 100.00%. After this merges: 1. Tag the squash-merge commit as v0.1.1 and push the tag — publish.yml fires and uploads to PyPI via the existing trusted-publisher OIDC flow. 2. Update the live CT 112 deployment to install pypi-winnow-downloads==0.1.1 from PyPI (currently runs a wheel built from main, but pinning to the released version keeps deploy reproducible). 3. Close any post-release follow-ups Chris wants tracked. Co-authored-by: cmeans-claude-dev[bot] <272174644+cmeans-claude-dev[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the GitHub starter skeleton with a real Dependabot config tailored to this repo. Tracks weekly version updates across the three ecosystems present in tree:
pipat/—pyproject.toml+uv.lock(PyYAML, pypinfo, and the dev extras: pytest, pytest-cov, ruff, mypy, types-PyYAML).github-actionsat/— workflow files under.github/workflows/(CI matrix, publish workflows, label automation).dockerat/deploy/docker— Dockerfile base image for the optional containerized deployment shape.Schedule is weekly, Monday 06:00 America/Chicago — keeps PR volume manageable for a solo project. Each ecosystem groups its updates into a single weekly PR (instead of one PR per dep) to keep notification noise down.
Labels (
dependenciesplus a per-ecosystem qualifier) are applied only if those labels already exist; Dependabot does not auto-create labels. The label-automation workflows continue to drive the QA-flow labels separately.CHANGELOG entry omitted — repo infrastructure, not a user-visible product change (consistent with how PR #17's community-health files are landing).
Test plan
Settings → Code security and analysis → Dependabotshows version updates as enabled.Insights → Dependency graph → Dependabotand check each shows last-updated timestamps.dependencies/python/github-actions/dockeraren't yet defined, the missing labels are silently skipped — this is expected and not a regression).chore(deps)prefix.