chore(ci): configure dependabot to automatically update repository dependencies#705
chore(ci): configure dependabot to automatically update repository dependencies#705Sparshjoshi-iit wants to merge 14 commits into
Conversation
Test bot action
|
Thank you @, for creating the PR and contributing to our UltimateHealth project 💗. |
There was a problem hiding this comment.
Pull request overview
This PR introduces a Dependabot configuration to automate dependency update PRs for the repository’s GitHub Actions workflows (root) and the React Native/Expo frontend (/frontend), supporting the goal in #703 of reducing security/maintenance risk from outdated dependencies.
Changes:
- Added
.github/dependabot.ymlwith weekly update checks forgithub-actionsat/andnpmat/frontend. - Applied dependency-related labels to Dependabot PRs.
- Configured Dependabot commit message prefixing for the
npmecosystem entry.
Comments suppressed due to low confidence (2)
.github/dependabot.yml:10
- The PR description says Dependabot PRs will use a conventional commit prefix (
chore), butcommit-messageis only configured for the npm entry. If you want consistent conventional commits across all Dependabot PRs, add the samecommit-messageconfiguration under thegithub-actionsupdate as well.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "github-actions"
.github/dependabot.yml:17
- This repo’s
frontend/package.jsonhas a large dependency set, so a weekly Dependabot run can still generate a high number of PRs at once. To better meet the goal of preventing PR spam, consider addingopen-pull-requests-limitand/or using Dependabotgroupsto batch updates into fewer PRs.
- package-ecosystem: "npm"
directory: "/frontend"
schedule:
interval: "weekly"
labels:
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
SB2318
left a comment
SB2318
left a comment
There was a problem hiding this comment.
Hey! 🎉 Thank you so much for taking the initiative to secure our pipeline. Keeping React Native & Expo packages up-to-date is a massive win for reducing technical debt, so I really appreciate you driving this!
I reviewed your proposed .github/dependabot.yml file, and the foundation is fantastic. I especially love that you added prefix: "chore" for Conventional Commits and set up the frontend and github-actions labels to keep our PR board clean.
However, I am requesting a couple of additions before we can merge this, to ensure it scales well with our CI pipeline:
1. Add Open PR Limits
By default, Dependabot will open up to 5 PRs at a time. If we fall behind, it can overwhelm the repository. Please explicitly set an open-pull-requests-limit for each ecosystem (e.g., 5 for actions, 10 for npm) so we have documented control over the noise level.
Example snippet:
schedule:
interval: "weekly"
open-pull-requests-limit: 102. Group Related Updates (Crucial)
Because React Native relies on heavy ecosystems, updates usually come in batches (e.g., updating multiple @react-navigation or expo-* packages). Without grouping, Dependabot will open individual PRs for every single package, which will quickly burn through our GitHub Action CI minutes and create PR fatigue.
Please add the groups feature to bundle related updates together in the npm ecosystem.
Example snippet:
groups:
expo-packages:
patterns:
- "expo-*"
react-navigation:
patterns:
- "@react-navigation/*"Requested Action:
Please review the Dependabot documentation on grouping and limits, update your configuration file with these concepts, and push the changes. Let me know once you do, and I will gladly approve and merge! 🚀
SB2318
added
good first issue
|
@Sparshjoshi-iit, please resolve the conflict |
Resolves #703
Motive
To prevent technical debt and security vulnerabilities from outdated packages, this PR configures Dependabot to automatically manage and propose dependency updates.
Tasks Completed
.github/dependabot.yml/frontenddirectory/dependencieslabels to auto-generated PRschore) to align with repository standards