From 5c6fe7d7caf41ec8329558906f1fd0f04edc454c Mon Sep 17 00:00:00 2001
From: Stefan Steiner <ssteiner@tableau.com>
Date: Mon, 18 May 2026 01:27:04 -0700
Subject: [PATCH] chore: add Dependabot config for cargo, npm, github-actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces "remember to run cargo search every few months" with weekly
automated PRs across the three ecosystems this repo uses.

Configuration choices and why:

- **Weekly cadence.** Daily generates churn that crowds out human PRs;
  monthly misses urgent advisories.

- **`open-pull-requests-limit`** capped per ecosystem (cargo: 5, npm: 3,
  gha: 3) to prevent an avalanche on first activation and on backlog
  catch-ups.

- **`groups`** for lockstep dep families. Bumping `tonic` without
  `prost` is rarely useful, and arrow-rs ships `arrow` and `parquet`
  together at the same version. The four groups defined are:
  - `tonic-prost` (tonic*, prost*)
  - `arrow-parquet` (arrow, parquet)
  - `rustcrypto` (sha2, hmac, pbkdf2, md-5)
  - `napi-rs` (napi, napi-derive, napi-build)

  These mirror the way the dep-refresh PR (#6) treated them as
  single logical bumps.

- **`ignore`** entries skip semver-major bumps for deps whose major
  migration was explicitly deferred (see PR #6's "Out of scope"
  section). Patch and minor bumps still flow through. Each entry is
  removed when we're ready to take that major. The list:
  - arrow, parquet                 (58 → 59 audit)
  - tonic, tonic-build,
    tonic-prost, tonic-prost-build,
    prost, prost-types             (0.14 → 0.15 audit)
  - rmcp                           (1 → 2 audit)
  - napi, napi-derive, napi-build  (3 → 4 audit, ties to napi runtime)

- **npm scope** is `/hyperdb-api-node` only. The other package.json
  files in the tree are platform-binding shells whose deps are
  generated artifacts; pointing Dependabot at them yields no real
  upgrades.

- **GitHub Actions scope** covers all `.github/workflows/*.yml` `uses:`
  references. The dep-refresh PR (#6) just bumped cache@v5,
  release-please@v5, action-gh-release@v3; future majors will surface
  here automatically.
---
 .github/dependabot.yml | 132 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..c5d8470
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,132 @@
+# Dependabot configuration.
+#
+# Opens automated PRs for dependency updates across the three ecosystems
+# this repo touches: Cargo (workspace + every member crate), npm (the
+# napi bindings), and GitHub Actions (workflow `uses:` lines).
+#
+# Conventions:
+#   - Weekly cadence on every ecosystem. Daily generates churn, monthly
+#     misses urgent advisories.
+#   - `open-pull-requests-limit` per ecosystem prevents an avalanche the
+#     first week and on backlog catch-ups.
+#   - `groups` bundle lockstep dep families (tonic+prost, arrow+parquet,
+#     RustCrypto traits) into single PRs so we don't get five separate
+#     bumps for what is logically one upgrade.
+#   - `ignore` blocks skip semver-major bumps for deps whose major
+#     migration we've explicitly deferred. Each entry is annotated with
+#     the reason; remove the entry when the workspace is ready to take
+#     that major. Patch and minor bumps still flow through unblocked.
+
+version: 2
+updates:
+  # ---------------------------------------------------------------------------
+  # Rust workspace
+  # ---------------------------------------------------------------------------
+  - package-ecosystem: "cargo"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "rust"
+    groups:
+      # gRPC stack moves in lockstep — bumping `tonic` without `prost`
+      # (or vice versa) is rarely useful.
+      tonic-prost:
+        patterns:
+          - "tonic"
+          - "tonic-build"
+          - "tonic-prost"
+          - "tonic-prost-build"
+          - "prost"
+          - "prost-types"
+      # arrow-rs ships `arrow` and `parquet` together at the same version.
+      arrow-parquet:
+        patterns:
+          - "arrow"
+          - "parquet"
+      # RustCrypto traits move together; we bumped them as one commit
+      # in the dep-refresh PR and want future bumps to follow suit.
+      rustcrypto:
+        patterns:
+          - "sha2"
+          - "hmac"
+          - "pbkdf2"
+          - "md-5"
+      # napi-rs ships the runtime crate, derive macro, and build helper
+      # together; pinning them to a single PR avoids three-way version
+      # skew on the Node bindings.
+      napi-rs:
+        patterns:
+          - "napi"
+          - "napi-derive"
+          - "napi-build"
+    ignore:
+      # Major bumps deferred to dedicated PRs with their own audits —
+      # see the "Out of scope" section of PR #6 (dep refresh).
+      #
+      # Remove an entry below once the workspace is ready to take that
+      # major; patch/minor bumps continue to flow through automatically
+      # in the meantime.
+      - dependency-name: "arrow"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "parquet"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "tonic"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "tonic-build"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "tonic-prost"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "tonic-prost-build"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "prost"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "prost-types"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "rmcp"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "napi"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "napi-derive"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "napi-build"
+        update-types: ["version-update:semver-major"]
+
+  # ---------------------------------------------------------------------------
+  # npm — hyperdb-api-node (the only package.json with real upgradable deps)
+  # ---------------------------------------------------------------------------
+  # Other package.json files in the tree (root, hyperdb-mcp/npm/*,
+  # hyperdb-api-node/npm/*) are platform-binding shells whose deps are
+  # generated artifacts, not real upgradable packages.
+  - package-ecosystem: "npm"
+    directory: "/hyperdb-api-node"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "npm"
+
+  # ---------------------------------------------------------------------------
+  # GitHub Actions — `uses:` references in every workflow under
+  # .github/workflows/. Catches new majors of cache, checkout, etc.
+  # ---------------------------------------------------------------------------
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "github-actions"