Skip to content

chore: add Dependabot configuration for automated dependency updates#200

Merged
scottschreckengaust merged 9 commits intomainfrom
chore/add-dependabot
Apr 23, 2026
Merged

chore: add Dependabot configuration for automated dependency updates#200
scottschreckengaust merged 9 commits intomainfrom
chore/add-dependabot

Conversation

@scottschreckengaust
Copy link
Copy Markdown
Member

@scottschreckengaust scottschreckengaust commented Apr 20, 2026
edited
Loading

Summary

Adds a .github/dependabot.yml to automate dependency version updates across
four ecosystems, using grouped PRs with conventional commit prefixes.

Changes

.github/dependabot.yml (new)

Ecosystem Directory Schedule Groups
github-actions / Weekly All actions in one PR
uv /scripts/aidlc-evaluator Weekly All evaluator deps batched into one PR
pre-commit / Weekly .pre-commit-config.yaml rev pins
docker /scripts/aidlc-evaluator/docker/sandbox Weekly Single PR per Dockerfile

Commit message format: chore(deps): for production, chore(deps-dev): for
development — matches the repo's conventional commits convention.

Grouping strategy:

  • GitHub Actions: all updates batched into a single PR
  • uv deps: all evaluator dependencies grouped into one PR
  • Pre-commit: updates .pre-commit-config.yaml hook rev pins
  • Docker: one PR per base image update

Not covered by Dependabot:

  • ClamAV service container digest in security-scanners.yml — Dependabot's docker
    ecosystem only scans Dockerfiles, not GitHub Actions service container image: fields.
    This requires manual updates (documented in PR fix: address security scanners follow-up items (#180) #199 / docs/ADMINISTRATIVE_GUIDE.md).

Checklist

  • I have reviewed the contributing guidelines
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Test Plan

  • YAML syntax validated
  • Verified ecosystem names (github-actions, uv, pre-commit, docker) match current
    Dependabot documentation
  • Directory paths confirmed to contain the expected manifest files
  • Commit prefix chore(deps) matches the repo's conventional commits convention

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

@scottschreckengaust
chore: add Dependabot configuration for automated dependency updates
4cfee31 
Configure three ecosystems on a quarterly cadence:
- github-actions: SHA-pinned actions across all workflows
- uv: Python evaluator framework dependencies (grouped by prod/dev)
- docker: sandbox Dockerfile base image

Commit messages use conventional commits (chore(deps): / chore(deps-dev):).
Updates are grouped to reduce PR noise.

Note: ClamAV service container digest in security-scanners.yml is not
covered by any Dependabot ecosystem and requires manual monthly updates.
@leandrodamascena leandrodamascena mentioned this pull request Apr 20, 2026
Merged
4 tasks
scottschreckengaust added a commit that referenced this pull request Apr 21, 2026
@scottschreckengaust
docs: revert Updating Pinned Versions to original TODO
515aee7 
Dependabot (PR #200) will handle automated version updates,
making manual update instructions unnecessary.
ronniemh pushed a commit to carconnect-ec/aidlc-workflows that referenced this pull request Apr 21, 2026
@scottschreckengaust
fix: address security scanners follow-up items (awslabs#180) (awslabs…
a756b71 
…#199)

* fix: address security scanners follow-up items from PR awslabs#161

- Fix concurrency group descriptions in admin guide to match actual
  {workflow}-{event_name}-{ref} pattern
- Update ClamAV image digest to current latest (linux/amd64)
- Add inline comment explaining sudo rm -f man-db workaround
- Replace TODO in Updating Pinned Versions with real instructions
  including monthly ClamAV cadence, GitHub Actions SHA lookup,
  scanner version sources, and verification steps

Closes awslabs#180

* docs: revert Updating Pinned Versions to original TODO

Dependabot (PR awslabs#200) will handle automated version updates,
making manual update instructions unnecessary.

* docs: add agent pre-commit checklist to ADMINISTRATIVE_GUIDE.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore(docs): auto-fix markdown lint (MD012/MD032)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 21, 2026
View reviewed changes
Comment thread scripts/aidlc-evaluator/docker/sandbox/Dockerfile Fixed
@scottschreckengaust scottschreckengaust marked this pull request as ready for review April 21, 2026 22:23
@scottschreckengaust scottschreckengaust requested a review from a team as a code owner April 21, 2026 22:23
leandrodamascena
leandrodamascena requested changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@leandrodamascena leandrodamascena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @scottschreckengaust, overall, this PR looks good to me, just a minor issue with the Docker image version. But other than that, everything is ready to be merged.

Comment thread scripts/aidlc-evaluator/docker/sandbox/Dockerfile Outdated
Comment thread scripts/aidlc-evaluator/docker/sandbox/Dockerfile Outdated
scottschreckengaust and others added 3 commits April 22, 2026 11:34
@scottschreckengaust @leandrodamascena
fix: set sha256 to the docker image
59f4807 
Co-authored-by: Leandro Damascena <lcdama@amazon.pt>
@scottschreckengaust
fix: remove unnecessary comment about pinning
855a499 
Remove comment about base image not being pinned for security updates.
@scottschreckengaust
Merge branch 'main' into chore/add-dependabot
9d6e5cb
leandrodamascena
leandrodamascena approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@leandrodamascena leandrodamascena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Kalindi-Dev
Kalindi-Dev approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Kalindi-Dev Kalindi-Dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@scottschreckengaust scottschreckengaust added this pull request to the merge queue Apr 23, 2026
Merged via the queue into main with commit 0de057d Apr 23, 2026
21 checks passed
@scottschreckengaust scottschreckengaust deleted the chore/add-dependabot branch April 23, 2026 03:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leandrodamascena leandrodamascena leandrodamascena approved these changes

@Kalindi-Dev Kalindi-Dev Kalindi-Dev approved these changes

@spraja08 spraja08 Awaiting requested review from spraja08 spraja08 is a code owner automatically assigned from awslabs/aidlc-admins

@scoropeza scoropeza Awaiting requested review from scoropeza scoropeza is a code owner automatically assigned from awslabs/aidlc-admins

@harmjeff harmjeff Awaiting requested review from harmjeff harmjeff is a code owner automatically assigned from awslabs/aidlc-admins

@raj-jain-aws raj-jain-aws Awaiting requested review from raj-jain-aws raj-jain-aws is a code owner automatically assigned from awslabs/aidlc-admins

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

github

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@scottschreckengaust @leandrodamascena @github-advanced-security @Kalindi-Dev