Enable Dependabot

[Vitexus]

This PR enables Dependabot for Composer and GitHub Actions.

Summary by CodeRabbit

• Chores
  • Configured automated Composer dependency updates on a weekly schedule.
  • Limited simultaneous update pull requests to 10.
  • Set versioning strategy to “increase” for dependency updates.
  • Standardized commit messages with a “composer” prefix for these updates.
  • Retained weekly updates for GitHub Actions dependencies.
  • No user-facing changes.

[coderabbitai]

Walkthrough

Dependabot configuration updated: the previously commented Composer example is replaced with an explicit Composer updater configuration, including weekly schedule, open pull request limit, versioning strategy, and commit message prefix. The existing GitHub Actions updater remains, scheduled weekly.

Changes

Cohort / File(s)	Summary of Changes
Dependabot configuration .github/dependabot.yml	Added explicit Composer updater with weekly schedule, open-pull-requests-limit: 10, versioning-strategy: increase, and commit-message prefix "composer"; retained GitHub Actions updater with weekly schedule.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

I twitch my whiskers, configs aligned,
Composer wakes on a weekly grind.
Ten little PRs hop in a row,
“increase” they chirp, with tidy glow.
Actions stay steady, right on time—
A burrow of updates, neatly prime. 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch enable-dependabot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

.github/dependabot.yml (5)

5-6: Consider setting day/time/timezone for predictable runs

Defining a specific day/time/timezone reduces noise during business hours and makes runs deterministic.

Apply this diff to refine the schedule:

     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "02:00"
+      timezone: "Europe/Prague"

---

9-10: Enhance commit messages for clarity

Including scope and distinguishing dev dependency bumps makes PRs easier to scan.

Apply this diff:

     commit-message:
       prefix: "composer"
+      prefix-development: "composer-dev"
+      include: "scope"

---

3-10: Optionally group Composer updates to reduce PR noise

Grouping can bundle similar updates (e.g., dev deps) and cut PR volume without losing clarity.

Apply this diff after the commit-message block:

     commit-message:
       prefix: "composer"
+      prefix-development: "composer-dev"
+      include: "scope"
+    groups:
+      prod-dependencies:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+          - "minor"
+      dev-dependencies:
+        dependency-type: "development"

---

11-12: Add labels and clearer commit prefix for GitHub Actions updates

This helps triage and distinguishes CI bumps from library deps.

Apply this diff:

   - package-ecosystem: "github-actions"
     directory: "/"
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "ci"

---

13-14: Optionally add day/time/timezone for Actions updater too

Keeps both updaters aligned and predictable.

Apply this diff:

     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "02:30"
+      timezone: "Europe/Prague"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d36fe85 and 0477063.

📒 Files selected for processing (1)

• .github/dependabot.yml (1 hunks)

🔇 Additional comments (1)

.github/dependabot.yml (1)

1-14: Config is valid and achieves the PR goal

Dependabot is correctly enabled for Composer and GitHub Actions with a weekly cadence. This aligns with the PR objective and is a solid baseline.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Validate Composer’s versioning strategy; confirm intended behavior

Using versioning-strategy: increase will widen version constraints in composer.json to the latest allowed versions. Ensure this matches your policy (often preferred for apps; libraries might prefer default behavior).

Would you like to confirm Composer supports increase here and that it’s the desired policy? If needed, we can switch to the default behavior by removing the key.

---

🌐 Web query:

Does Dependabot support `versioning-strategy: increase` for the Composer ecosystem in dependabot.yml? What are the allowed values and their effects?

💡 Result:

Dependabot supports versioning-strategy: increase for the Composer ecosystem in dependabot.yml. The allowed values for versioning-strategy in Composer (and other supported ecosystems) are: auto, increase, increase-if-necessary, lockfile-only, and widen1.

Details of allowed values and their effects:

Value	Effect
auto	Default: For "app"-type dependencies, increases the minimum version; for "library"-type, widens version range.
increase	Always increases the minimum version requirement to match the new version. If a range exists, typically only the lower bound is increased.
increase-if-necessary	Changes the constraint only if the new version is not already allowed by the original constraint.
lockfile-only	Only updates the lockfile, never modifies the manifest version requirements.
widen	Widens the allowed version range to include both the new and old versions, typically only increasing the upper bound.

Example (for composer.json constraint ^1.0.0 → new version 1.2.0 or 2.0.0):

• increase:
  • 1.2.0 → ^1.2.0
  • 2.0.0 → ^2.0.0
• increase-if-necessary:
  • 1.2.0 → ^1.0.0 (unchanged if within initial range)
  • 2.0.0 → ^2.0.0 (changed since outside range)
• widen:
  • 1.2.0 → ^1.0.0
  • 2.0.0 → >=1.0.0 <3.0.01.

Summary for Composer:
You can use versioning-strategy: increase or any of the above strategies in your Composer section in dependabot.yml to control exactly how manifest version requirements are updated1. The strategies allow fine control over how strict or permissive version bumps are when Dependabot proposes updates.

References:

• The most up-to-date and authoritative information comes from the official GitHub Docs3.

Citations:

• 1: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
• 2: https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated
• 3: https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot/dependabot-options-reference?learn=dependency_version_updates&learnProduct=code-security
• 4: https://github.blog/changelog/2022-10-24-reduce-dependabot-version-updates-in-your-python-projects-with-the-increase-if-necessary-strategy/
• 5: https://github.blog/security/supply-chain-security/5-tips-for-prioritizing-dependabot-alerts/
• 6: https://mglaman.dev/blog/my-dependabot-configuration-drupal-and-other-php-projects
• 7: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated
• 8: https://www.ruby-toolbox.com/projects/dependabot-composer
• 9: https://cloud.gov/pages/knowledge-base/dependabot-with-pages/
• 10: https://www.velir.com/ideas/2022/11/28/how-to-automate-dependency-updates-with-github-dependabot

---

Clarify Composer versioning strategy configuration

File: .github/dependabot.yml
Lines: 8

Using versioning-strategy: increase will bump only the minimum version requirement in your composer.json (i.e. update the lower bound to the new version). It does not widen the upper bound—that’s what the widen strategy does. Make sure always forcing a minimum-version bump aligns with your policy (apps often use it; libraries frequently prefer a more conservative or default approach).

Consider these options instead of (or in place of) increase:

• auto: default; apps → increase minimum, libraries → widen range
• increase: always bump the lower bound to the latest version
• increase-if-necessary: only bump if the new version falls outside the existing constraint
• lockfile-only: update the lockfile without touching your composer.json
• widen: extend the version range to include both old and new versions

If you’d rather stick with Dependabot’s default behavior, remove the versioning-strategy key or choose one of the strategies above that best fits your project’s needs.

🤖 Prompt for AI Agents

.github/dependabot.yml around line 8: the file currently sets
versioning-strategy: increase which only bumps the minimum version (lower bound)
in composer.json and may not be the intended policy; update this key to the
desired strategy (e.g., remove the key to use Dependabot default, or set it to
auto, widen, increase-if-necessary, or lockfile-only depending on whether you
want to widen upper bounds, only adjust lockfile, or use Dependabot’s
app/library defaults) so the composer dependency updates match the project’s
intent.