From c272151ed13e58c22783a23009c2999af91501ed Mon Sep 17 00:00:00 2001 From: GitHub Actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 27 Feb 2026 22:54:44 +0000 Subject: [PATCH] docs: add Dependabot configuration documentation Document the .github/dependabot.yml configuration file that was added in commit 30d356b. This fills a documentation gap by explaining: - What Dependabot monitors (GitHub Actions) - Update schedule (weekly on Mondays) - Configuration options and customization - Supported package ecosystems - Link to official GitHub documentation Also adds cross-reference from automation-overview.md to the detailed configuration documentation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/automation-overview.md | 9 ++++ docs/workflow-reference.md | 89 +++++++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+) diff --git a/docs/automation-overview.md b/docs/automation-overview.md index 35decf5..99c9d21 100644 --- a/docs/automation-overview.md +++ b/docs/automation-overview.md @@ -221,6 +221,15 @@ Automatically merged after CI passed. - CI checks fail - Conflicts with other changes +**Configuration:** + +Dependabot is configured in `.github/dependabot.yml` to: +- Check for GitHub Actions updates weekly (Mondays at 9 AM Central) +- Group minor and patch updates together +- Apply `dependencies` and `github-actions` labels automatically + +See [Workflow Reference - Dependabot Configuration](./workflow-reference.md#dependabot-configuration) for details on customizing the configuration. + --- ## Workflow Labels diff --git a/docs/workflow-reference.md b/docs/workflow-reference.md index 6b55949..a514eb6 100644 --- a/docs/workflow-reference.md +++ b/docs/workflow-reference.md @@ -99,6 +99,95 @@ uses: zircote/.github/.github/workflows/reusable-dependabot-automerge.yml@main --- +### Dependabot Configuration + +**File:** `.github/dependabot.yml` + +Configures how Dependabot monitors and updates dependencies. + +**Current Configuration:** + +````yaml +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + timezone: "America/Chicago" + open-pull-requests-limit: 5 + commit-message: + prefix: "chore(deps)" + labels: + - "dependencies" + - "github-actions" + reviewers: + - "zircote" + groups: + github-actions: + patterns: + - "*" + update-types: + - "minor" + - "patch" +```` + +**What it monitors:** + +- **GitHub Actions** - Workflow action versions in `.github/workflows/` + +**Schedule:** +- Checks for updates every Monday at 9:00 AM Central Time +- Creates up to 5 PRs at a time to avoid overwhelming the queue + +**Automatic behaviors:** +- Groups minor and patch updates into a single PR when possible +- Applies `dependencies` and `github-actions` labels +- Requests review from @zircote +- Uses conventional commit format: `chore(deps): ...` + +**Customization:** + +To add more package ecosystems (e.g., npm, pip, docker): + +````yaml +updates: + # Existing github-actions configuration... + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "npm" +```` + +**Supported ecosystems:** +- `github-actions` - GitHub Actions workflows +- `npm` - JavaScript/Node.js +- `pip` - Python +- `docker` - Docker images +- `composer` - PHP +- `maven` - Java/Maven +- `gradle` - Java/Gradle +- `bundler` - Ruby +- `cargo` - Rust +- `gomod` - Go modules + +**Common schedule options:** +- `daily` - Every day +- `weekly` - Once per week (specify day) +- `monthly` - Once per month + +**Documentation:** +- [Dependabot configuration reference](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) + +--- + ## Agentic Workflows Agentic workflows use AI to understand context and make intelligent decisions. They are defined in Markdown files and compiled to `.lock.yml` files.