Skip to content

Add Dependabot configuration for automated dependency and GitHub Actions updates#6

Merged
rajbos merged 6 commits intomainfrom
copilot/fix-ef971553-8a59-4991-b7e7-896a874d629f
Sep 28, 2025
Merged

Add Dependabot configuration for automated dependency and GitHub Actions updates#6
rajbos merged 6 commits intomainfrom
copilot/fix-ef971553-8a59-4991-b7e7-896a874d629f

Conversation

Copy link
Contributor

Copilot AI commented Sep 26, 2025

This PR adds a comprehensive Dependabot configuration to automatically keep the VS Code extension's npm dependencies and GitHub Actions up-to-date.

What's Added

  • .github/dependabot.yml - Complete configuration file for automated dependency management

Configuration Features

📅 Update Schedule

  • Weekly dependency checks every Monday at 04:00 UTC
  • Prevents overwhelming maintainers with daily updates while keeping dependencies reasonably current

🛡️ Smart Safety Controls

  • Major version protection: Ignores major version updates for critical dependencies (typescript, @types/vscode, vscode) to prevent breaking changes
  • Pull request limits: Maximum of 10 open npm dependency PRs and 5 GitHub Actions PRs to avoid repository clutter
  • Automatic assignment: All dependency PRs are assigned to the repository owner for review

📦 Dual Ecosystem Support

  • npm Dependencies: Monitors package.json for Node.js dependency updates
  • GitHub Actions: Monitors workflow files for action version updates
  • Security updates: Handled automatically by Dependabot with higher priority (no special grouping needed)
  • Minor/patch updates: Non-security minor and patch updates are grouped together to reduce PR noise and maintenance overhead

🏷️ Organization & Tracking

  • Consistent labeling with dependencies, npm, and github-actions labels for easy filtering
  • Proper commit message formatting with npm: and github-actions: prefixes and scope inclusion
  • Automatic reviewer assignment for accountability

Benefits

  1. Security: Automatic security updates help maintain a secure codebase
  2. Maintenance reduction: Grouping reduces the number of PRs to review
  3. Stability: Major version updates require manual review to prevent breaking changes
  4. Comprehensive coverage: Monitors both npm dependencies and GitHub Actions workflows
  5. Visibility: Clear labeling and assignment ensure dependency updates don't go unnoticed

This configuration strikes a balance between keeping dependencies current and maintaining stability, ensuring the extension continues to work reliably while staying secure and up-to-date across both npm packages and GitHub Actions.

Resolves the request to automatically update used dependencies in the repository.

Warning

update.code.visualstudio.com

  • Triggering command: node /home/REDACTED/work/github-copilot-token-usage/github-copilot-token-usage/node_modules/.bin/vscode-test (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Fixes #5

Original prompt

This section details on the original issue you should resolve

<issue_title>Add Dependabot config to the repo</issue_title>
<issue_description>Automatically update the used dependencies. </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #5

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI and others added 2 commits September 26, 2025 22:26
Co-authored-by: rajbos <6085745+rajbos@users.noreply.github.com>
Co-authored-by: rajbos <6085745+rajbos@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Dependabot config to the repo Add Dependabot configuration for automated dependency updates Sep 26, 2025
Copilot AI requested a review from rajbos September 26, 2025 22:28
@rajbos
Copy link
Owner

rajbos commented Sep 28, 2025

@copilot remove the package.json from this changeset, that change is not needed. Dynamic files should not be added to the changesets when you write that code!

Also add support for the github-actions ecosystem.

…port

Co-authored-by: rajbos <6085745+rajbos@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Sep 28, 2025

@copilot remove the package.json from this changeset, that change is not needed. Dynamic files should not be added to the changesets when you write that code!

Also add support for the `github-actio...

✅ Done! I've addressed both requests:

  1. Removed package-lock.json changes: The dynamic package-lock.json file is no longer in the changeset
  2. Added GitHub Actions ecosystem: Dependabot now monitors workflow files for action updates with appropriate configuration

The updated configuration includes both npm and github-actions ecosystems with consistent scheduling, labeling, and safety controls. Changes committed in 8fca5c1.

Copilot AI changed the title Add Dependabot configuration for automated dependency updates Add Dependabot configuration for automated dependency and GitHub Actions updates Sep 28, 2025
@rajbos
Copy link
Owner

rajbos commented Sep 28, 2025

@copilot address this error:

Your .github/dependabot.yml contained invalid details
Dependabot encountered the following error when parsing your .github/dependabot.yml:

The property '#/updates/0/groups/security-updates/update-types/0' value "security" did not match one of the following values: major, minor, patch
Please upda

Co-authored-by: rajbos <6085745+rajbos@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Sep 28, 2025

@copilot address this error:

Your .github/dependabot.yml contained invalid details
...

✅ Fixed! The Dependabot configuration error has been resolved:

Issue: "security" is not a valid update-types value
Solution: Removed the invalid security-updates group that used "security" as an update-type

What changed:

  • Removed the invalid security-updates group configuration
  • Security updates are still handled automatically by Dependabot (they get higher priority by default)
  • Only valid update-types remain: "minor" and "patch" in the grouping configuration

The configuration is now valid and should work correctly. Changes committed in a307d61.

@rajbos rajbos marked this pull request as ready for review September 28, 2025 12:08
@rajbos rajbos merged commit 540a455 into main Sep 28, 2025
9 checks passed
@rajbos rajbos deleted the copilot/fix-ef971553-8a59-4991-b7e7-896a874d629f branch September 28, 2025 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Dependabot config to the repo

2 participants

Comments