OPS-18: Dependency update automation and security triage workflow

[Chris0Jeky]

Summary

• Add .github/dependabot.yml with weekly update schedules for NuGet, npm, and GitHub Actions ecosystems (minor/patch grouped, major individual for NuGet/npm, fully grouped for Actions)
• Add docs/ops/DEPENDENCY_UPDATE_POLICY.md defining update categories, PR verification expectations, severity-based triage SLAs, escalation procedures, and policy boundaries
• Update docs/STATUS.md and docs/IMPLEMENTATION_MASTERPLAN.md to reflect dependency automation as active
• Update docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md to cross-reference the new policy and remove Dependabot from the follow-up scope list

Closes #148

Test plan

• Verify .github/dependabot.yml syntax is valid (GitHub will surface errors on the Settings > Dependabot page after merge)
• Confirm Dependabot PRs begin appearing on the next Monday schedule cycle
• Verify security update PRs are distinguishable from routine updates (GitHub auto-labels security PRs)
• Review triage SLA targets for realism against team capacity

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[Chris0Jeky]

Adversarial self-review

Reviewed all 5 changed files. Findings:

.github/dependabot.yml

1. NuGet directory path: Using /backend which is the directory containing the .sln file. Dependabot NuGet ecosystem looks for .sln, .csproj, or packages.config files — /backend contains Taskdeck.sln, so this is correct.
2. Labels assumption: The config references dependencies, backend, frontend, and ci labels. These must exist in the repo or Dependabot will skip labeling silently. Worth verifying after merge.
3. Reviewer jekyt: Hardcoded single reviewer. Acceptable for a small team but should be revisited if the team grows.
4. No ignore rules: No packages are excluded. This is intentional — the policy prefers seeing all updates and triaging manually rather than silently suppressing.
5. No target-branch: Defaults to the repo default branch (main), which is correct.

docs/ops/DEPENDENCY_UPDATE_POLICY.md

6. Security label claim: The doc states GitHub auto-applies a security label to security PRs. This is accurate for Dependabot security updates (they include [security] in the title and link the advisory), but GitHub does not literally add a security label unless the repo has one configured. The PR body advisory link is the reliable distinguisher. Minor inaccuracy — not blocking but could confuse a reader.
7. SLA realism: Triage SLAs match the existing vulnerability policy doc exactly. Remediation targets (1 day for critical, 3 days for high) are aggressive but reasonable for a small team where dependency fixes are usually version bumps.
8. Lock-file-only section: Correctly notes that Dependabot can propose these. NuGet does not have a lock file by default (unless RestorePackagesWithLockFile is set), so this section mostly applies to npm.

docs/STATUS.md and docs/IMPLEMENTATION_MASTERPLAN.md

9. No issues found. Cross-references are accurate.

docs/security/SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md

10. Clean update. Removed Dependabot from follow-up scope and added cross-reference.

Verdict

Finding #6 is a minor inaccuracy worth fixing — clarifying that the security advisory reference in the PR body (not a literal label) is the primary distinguisher. All other findings are acceptable as-is.

[Chris0Jeky]

Follow-up

Fixed finding #6 in commit 2cced10: clarified that the security advisory reference in the PR body and [security] title prefix are the primary distinguishers, with the security label being conditional on repo label existence.

All other findings from self-review are acceptable as-is. PR is ready for review.

[Chris0Jeky]

Fresh Adversarial Review

Critical Issues

None found. The Dependabot config is syntactically valid, ecosystem names and directory paths are correct, and the grouping schema is properly structured.

Minor Issues

1. Inaccurate claim about [security] prefix in PR titles (docs/ops/DEPENDENCY_UPDATE_POLICY.md, Security updates section): The doc states that security PRs are "clearly distinguishable by the security advisory reference in the PR body and [security] prefix in the PR title." Dependabot security update PRs do not include a [security] prefix in the title. They use the same "Bump X from Y to Z" format as version update PRs. The distinguishing signals are: (a) the security advisory link in the PR body, (b) GitHub may apply a security label if one exists, and (c) they appear in the Security tab. This line should be corrected to avoid giving maintainers a false expectation.

2. Unlisted labels in the label taxonomy (.github/dependabot.yml): The config applies dependencies and ci labels, but neither appears in docs/ops/GITHUB_LABEL_TAXONOMY.md. GitHub will auto-create them, but the canonical taxonomy doc becomes stale. Either add dependencies and ci to the taxonomy, or use existing labels.

Observations

1. No allow/ignore rules: The config does not restrict or ignore any packages. This is fine as a starting posture but worth noting -- if a package is known to be pinned for compatibility reasons, it will generate noise until an ignore rule is added.

2. registries key omitted: Correct for a project using only public registries. No issue here.

3. Lock-file-only coverage: The policy doc correctly addresses lock-file-only updates in its own section. Good.

4. SLA targets match existing vulnerability policy: The triage/remediation SLAs in the new policy doc are consistent with SECURITY_DEPENDENCY_VULNERABILITY_POLICY.md. No conflict.

5. Item 95 numbering in IMPLEMENTATION_MASTERPLAN.md: Correct, follows item 94 sequentially.

6. STATUS.md #148 removal from SBOM line: Correct -- #148 is OPS-18 (dependency automation), not SBOM. Removing it from the SBOM placeholder and giving it its own section is accurate.

7. Security policy edit: The removal of the "Dependabot or Renovate policy automation" bullet from the follow-up scope is correct since that scope is now delivered. The replacement with "auto-merge for low-risk dependency update PRs" as a remaining follow-up item is accurate per the policy doc's boundaries section.

Verdict

Solid config-and-policy PR. The Dependabot YAML is valid and well-structured. The two minor issues above should be fixed before merge -- the [security] prefix claim will mislead maintainers who try to filter by PR title, and the label taxonomy gap creates a documentation inconsistency that will be confusing when the next person checks label governance.