From 9672d5891b033b56d435b6a584d8ea759c50b6bb Mon Sep 17 00:00:00 2001 From: Aaron Ashby <101434393+aaronashby@users.noreply.github.com> Date: Thu, 22 Jan 2026 16:39:17 -0500 Subject: [PATCH 1/4] Created dependabot.yml file --- .github/dependabot.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ea6b9d5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +version: 2 +updates: + # Enable version updates for npm + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + + # Enable version updates for Docker + - package-ecosystem: "docker" + directory: "/apps/backend" + schedule: + interval: "weekly" + + # Enable version updates for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" \ No newline at end of file From 6eda14a577837fa9471ee78c33ac9ab4ab0f0983 Mon Sep 17 00:00:00 2001 From: Aaron Ashby <101434393+aaronashby@users.noreply.github.com> Date: Thu, 22 Jan 2026 17:17:36 -0500 Subject: [PATCH 2/4] Added assignees to dependency prs --- .github/dependabot.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ea6b9d5..def220f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,15 +5,24 @@ updates: directory: "/" schedule: interval: "weekly" + assignees: + - "aaronashby" + - "thaninbew" # Enable version updates for Docker - package-ecosystem: "docker" directory: "/apps/backend" schedule: interval: "weekly" + assignees: + - "aaronashby" + - "thaninbew" # Enable version updates for GitHub Actions - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" \ No newline at end of file + interval: "weekly" + assignees: + - "aaronashby" + - "thaninbew" \ No newline at end of file From ae48a261e67f208673dc2b569da7fce45b122ffa Mon Sep 17 00:00:00 2001 From: Aaron Ashby <101434393+aaronashby@users.noreply.github.com> Date: Sun, 25 Jan 2026 10:14:51 -0500 Subject: [PATCH 3/4] Created dependabot documentation --- DEPENDABOT.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 DEPENDABOT.md diff --git a/DEPENDABOT.md b/DEPENDABOT.md new file mode 100644 index 0000000..2898c2c --- /dev/null +++ b/DEPENDABOT.md @@ -0,0 +1,48 @@ +# Dependabot Workflow + +## Overview + +Dependabot is a GitHub-native tool that automatically opens pull requests to keep dependencies up to date. Its configuration settings are located in `.github/dependabot.yml`, and runs weekly. + +## What Dependabot Updates + +- **Node.js dependencies**: Dependencies declared in `package.json` and the lockfile `yarn.lock` +- **Docker dependencies**: Updates base image tags referenced by Dockerfiles (e.g. the one in `apps/backend`) +- **GitHub Actions**: Updates action versions used in workflows in `.github/workflows` + +## Schedule and Ownership + +Dependabot creates PRs on a **weekly** basis, and automatically assigns the PRs to `aaronashby` and `thaninbew` + +## How to Review Dependabot PRs + +- Skim the PR title, release notes, and commits +- Check the diff + - Dependency updates often change `package.json` + `yarn.lock` (or only `yarn.lock`). + - Docker updates typically change a `FROM …` line. + - Actions updates usually change `uses: …@vX` pins in workflows. + +## Merging Guidelines (suggested) + +- **Patch/minor updates**: usually safe to merge once CI passes. +- **Major updates**: prefer a quick manual smoke test and a scan for breaking changes. +- **Lockfile-only updates**: merge if CI passes (these happen due to dependency resolution changes). + +## Common Tweaks (edit `.github/dependabot.yml`) + +- **Add a separate Docker entry for root compose files** + - Dependabot currently only scans Docker in `/apps/backend`. If you want it to update `docker-compose.dev.yml` at the repo root, add another docker update with `directory: "/"`. +- **Limit PR volume** + - Add `open-pull-requests-limit: ` to an update block. +- **Ignore versions** + - Use `ignore:` to skip major versions or specific packages temporarily. +- **Group updates** + - Use `groups:` to bundle related packages (e.g., React, NestJS, Nx) into fewer PRs. + +## Troubleshooting +- **CI fails after a bump** + - Check the package’s changelog/release notes and revert/ignore if needed. + - If it’s a tooling bump (Nx/Vite/ESLint/TypeScript), failures often come from peer dependency changes or config deprecations. +- **Dependabot isn’t opening PRs** + - Confirm `.github/dependabot.yml` is on the default branch and syntactically valid. + - Check the repo’s Dependabot alerts/PRs in GitHub for run history and errors. \ No newline at end of file From 900b3d0680173951592eb21dff4bfa668d68390c Mon Sep 17 00:00:00 2001 From: Aaron Ashby <101434393+aaronashby@users.noreply.github.com> Date: Sun, 25 Jan 2026 11:37:35 -0500 Subject: [PATCH 4/4] Lowered open pull request limit --- .github/dependabot.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index def220f..85931a5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,7 @@ updates: assignees: - "aaronashby" - "thaninbew" + open-pull-requests-limit: 3 # Enable version updates for Docker - package-ecosystem: "docker" @@ -17,6 +18,7 @@ updates: assignees: - "aaronashby" - "thaninbew" + open-pull-requests-limit: 3 # Enable version updates for GitHub Actions - package-ecosystem: "github-actions" @@ -25,4 +27,5 @@ updates: interval: "weekly" assignees: - "aaronashby" - - "thaninbew" \ No newline at end of file + - "thaninbew" + open-pull-requests-limit: 3 \ No newline at end of file