Context
The .github meta-repo has no dependabot.yml. This means:
- GitHub Actions
uses: pins (e.g. actions/checkout@v4, softprops/action-gh-release@v2) receive no automated update PRs
- The Cloudflare worker's npm dependencies (
postal-mime, wrangler) receive no automated update PRs
- Stale action versions accumulate security debt silently
Implementation
Create .github/dependabot.yml:
version: 2
updates:
# GitHub Actions — covers all 36+ workflow files
- package-ecosystem: github-actions
directory: /.github/workflows
schedule:
interval: weekly
day: monday
time: "09:00"
groups:
github-actions:
patterns:
- "*"
labels:
- "infrastructure"
- "chore"
# npm — Cloudflare Email Worker
- package-ecosystem: npm
directory: /cloudflare/openai-policy-worker
schedule:
interval: weekly
day: monday
time: "09:00"
groups:
cloudflare-worker-deps:
patterns:
- "*"
labels:
- "infrastructure"
- "chore"
Acceptance Criteria
Dependencies
None — can be worked in parallel with all other Phase 2 issues.
Do NOT add dependabot.yml to sync-community-health.yml FILE_MAP — each repo has its own dependency profile.
Part of Epic
#77
Context
The
.githubmeta-repo has nodependabot.yml. This means:uses:pins (e.g.actions/checkout@v4,softprops/action-gh-release@v2) receive no automated update PRspostal-mime,wrangler) receive no automated update PRsImplementation
Create
.github/dependabot.yml:Acceptance Criteria
.github/dependabot.ymlcreated withgithub-actionsecosystem targeting/.github/workflowsnpmecosystem targeting/cloudflare/openai-policy-workerinfrastructureandchorelabels to generated PRsDependencies
None — can be worked in parallel with all other Phase 2 issues.
Do NOT add
dependabot.ymltosync-community-health.ymlFILE_MAP — each repo has its own dependency profile.Part of Epic
#77