chore: add dependabot configuration for automated dependency updates#2337
Conversation
Adds dependabot.yml to keep Gradle dependencies and GitHub Actions up to date on a daily schedule with 7-day cooldown. PRs target the dependency-updates branch.
There was a problem hiding this comment.
Code Review
This pull request introduces a .github/dependabot.yml configuration file to automate dependency updates for Gradle and GitHub Actions. The feedback correctly identifies that the cooldown option is not supported by GitHub Dependabot and will cause parsing errors, so it should be removed from both update blocks.
mikehardy
left a comment
There was a problem hiding this comment.
apparently some issue with what params are supported in what ecosystems
mikehardy
left a comment
There was a problem hiding this comment.
sorry I didn't get to this before merge - but the cooldown params here were fully reverted vs just the semver params for github-actions
the param support table https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown- has the full list of which ecosystems support which parts
gemini gets this wrong because it has a training data cutoff that's pretty stale combined with no access to a web search tool to fetch updated docs
| - package-ecosystem: 'gradle' | ||
| directory: '/' | ||
| schedule: | ||
| interval: 'daily' | ||
| labels: | ||
| - 'dependencies' |
There was a problem hiding this comment.
github-actions ecosystem doesn't support cooldown semver params, but gradle does - it should have maintained all cooldown params here, the problem was with github-actions ecosystem
| schedule: | ||
| interval: 'daily' | ||
| labels: | ||
| - 'dependencies' |
There was a problem hiding this comment.
github-actions does support cooldown days, it just doesn't support the semver params for them, the main cooldown days should have stayed for supply-chain attack hardening
Adds dependabot.yml to keep Gradle dependencies and GitHub Actions up to date on a daily schedule with 7-day cooldown. PRs target the dependency-updates branch.