ci: add .github/dependabot.yml to tame Dependabot PR noise

lelia · lelia · commit eee4a9332063 · 2026-05-18T19:13:33.000-04:00
The repo had no explicit Dependabot config, so Dependabot ran on full
defaults: one PR per package per manifest, across every manifest in
the tree -- including the e2e test fixtures that are intentionally
crafted to exercise Socket's scanner. The cumulative result was the
"PR pileup" this PR is consolidating.

New config:
- uv ecosystem (main app): grouped weekly into ONE minor/patch PR and
  one major PR; matches the existing python:uv labeling
- github-actions: grouped weekly into ONE minor/patch PR
- docker: separate weekly PR per Dockerfile change
- 7-day cooldown across all ecosystems to give upstream time to pull
  bad releases
- e2e fixtures (tests/e2e/fixtures/{simple-npm,simple-pypi}) are
  INTENTIONALLY excluded -- their pins should be chosen for supply-
  chain signal, not auto-bumped (this is why we had three fixture
  PRs in the cleanup)

Pattern adapted from SocketDev/socket-basics.

Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,80 @@
+# Dependabot configuration for socket-python-cli.
+#
+# Design notes:
+# - Python deps are grouped into ONE weekly PR (minor/patch) and a separate
+#   PR for major bumps. Drastically reduces PR clutter compared to the
+#   default behavior of one PR per package.
+# - GitHub Actions are grouped similarly into one weekly PR.
+# - Docker (the project Dockerfile) is tracked separately.
+# - The e2e test fixtures under `tests/e2e/fixtures/` are INTENTIONALLY
+#   omitted: those manifests exist to exercise Socket scanning and should
+#   be chosen for the supply-chain signal they expose, not auto-bumped.
+# - 7-day cooldown across all ecosystems gives upstream maintainers time
+#   to pull bad releases before we receive a PR.
+
+version: 2
+updates:
+
+  # Main app Python deps (uv-tracked)
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    groups:
+      python-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+      python-major:
+        patterns:
+          - "*"
+        update-types:
+          - "major"
+    labels:
+      - "dependencies"
+      - "python:uv"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    cooldown:
+      default-days: 7
+
+  # GitHub Actions used in workflows
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    groups:
+      github-actions-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    cooldown:
+      default-days: 7
+
+  # Project Dockerfile base images and pinned binaries
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    cooldown:
+      default-days: 7
