Skip to content

feat: add dependabot.yml to .github/ #83

Description

@wcmchenry3-stack

Context

The .github meta-repo has no dependabot.yml. This means:

  • GitHub Actions uses: pins (e.g. actions/checkout@v4, softprops/action-gh-release@v2) receive no automated update PRs
  • The Cloudflare worker's npm dependencies (postal-mime, wrangler) receive no automated update PRs
  • Stale action versions accumulate security debt silently

Implementation

Create .github/dependabot.yml:

version: 2
updates:
  # GitHub Actions — covers all 36+ workflow files
  - package-ecosystem: github-actions
    directory: /.github/workflows
    schedule:
      interval: weekly
      day: monday
      time: "09:00"
    groups:
      github-actions:
        patterns:
          - "*"
    labels:
      - "infrastructure"
      - "chore"

  # npm — Cloudflare Email Worker
  - package-ecosystem: npm
    directory: /cloudflare/openai-policy-worker
    schedule:
      interval: weekly
      day: monday
      time: "09:00"
    groups:
      cloudflare-worker-deps:
        patterns:
          - "*"
    labels:
      - "infrastructure"
      - "chore"

Acceptance Criteria

  • .github/dependabot.yml created with github-actions ecosystem targeting /.github/workflows
  • npm ecosystem targeting /cloudflare/openai-policy-worker
  • Both ecosystems use weekly schedule (Monday 09:00 UTC) with grouped updates
  • Both ecosystems apply infrastructure and chore labels to generated PRs
  • File is valid YAML (no syntax errors)
  • After merging, GitHub's Dependabot tab shows both ecosystems configured

Dependencies

None — can be worked in parallel with all other Phase 2 issues.
Do NOT add dependabot.yml to sync-community-health.yml FILE_MAP — each repo has its own dependency profile.

Part of Epic

#77

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestinfrastructureCI/CD and tooling improvementssecuritySecurity-related issues and improvements

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions