Skip to content

fix: add github-actions ecosystem to dependabot config#76

Merged
don-petry merged 18 commits into
mainfrom
claude/issue-53-20260508-1409
May 13, 2026
Merged

fix: add github-actions ecosystem to dependabot config#76
don-petry merged 18 commits into
mainfrom
claude/issue-53-20260508-1409

Conversation

@don-petry
Copy link
Copy Markdown
Collaborator

@don-petry don-petry commented May 8, 2026

Summary

  • Creates .github/dependabot.yml with the required github-actions ecosystem entry
  • Configured per the org dependabot policy standard: weekly schedule, open-pull-requests-limit: 10, labels security and dependencies

Why

The compliance audit flagged missing-github-actions-ecosystem — every repository must include a Dependabot config entry for github-actions to keep pinned action SHAs current and reduce CI attack surface.

Closes #53

Generated with Claude Code

@github-actions @don-petry
fix: add github-actions ecosystem to dependabot config
e9d7a8d 
Adds the required github-actions ecosystem entry to .github/dependabot.yml
per the org dependabot policy standard. Uses weekly schedule with version
updates enabled (limit 10) for CI actions currency.

Closes #53

Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 8, 2026 14:11
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 8, 2026
edited
Loading

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 52 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d52d703a-8d69-4746-abcc-d7ea7f22f0f5

📥 Commits

Reviewing files that changed from the base of the PR and between 53aa91f and ef2ed48.

📒 Files selected for processing (1)
  • .github/dependabot.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-53-20260508-1409

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry don-petry mentioned this pull request May 8, 2026
Closed
Copilot AI reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a repository-level Dependabot configuration to satisfy the org compliance requirement to track GitHub Actions updates.

Changes:

  • Introduces .github/dependabot.yml with a github-actions ecosystem entry.
  • Configures weekly update cadence, PR limit (10), and default labels (security, dependencies).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@don-petry don-petry mentioned this pull request May 9, 2026
Closed
@don-petry don-petry enabled auto-merge (squash) May 10, 2026 17:45
@don-petry don-petry mentioned this pull request May 10, 2026
Closed
@don-petry don-petry closed this May 11, 2026
auto-merge was automatically disabled May 11, 2026 21:39

Pull request was closed

@don-petry don-petry reopened this May 11, 2026
@don-petry don-petry closed this May 12, 2026
@don-petry don-petry reopened this May 12, 2026
@don-petry don-petry enabled auto-merge (squash) May 12, 2026 01:43
@don-petry don-petry mentioned this pull request May 13, 2026
Closed
1 task
donpetry-bot
donpetry-bot approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@donpetry-bot donpetry-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 385dde66f5d9f072ddfee3ca0bceba10acbdcf0d
Review mode: triage-approved (single reviewer)

Summary

Adds a new .github/dependabot.yml (11 lines, 1 file) containing a single github-actions ecosystem entry. The configuration matches the org dependabot-policy.md GitHub Actions template exactly — weekly schedule, open-pull-requests-limit: 10, and labels security + dependencies. No code, workflows, secrets, or runtime behavior are affected; this is config-only and confined to Dependabot's view of CI actions.

Linked issue analysis

Closes #53Compliance: missing-github-actions-ecosystem. The compliance finding asked for a github-actions ecosystem entry per the standard; the new file adds exactly that with the prescribed parameters. The fix is scoped precisely to the audit finding.

Findings

No blocking or non-blocking findings.

  • Config keys, values, and labels match the org GitHub Actions template verbatim.
  • directory: "/" is correct since workflow files live under .github/workflows/ (Dependabot's github-actions ecosystem scans the repo root for workflows regardless).
  • The PR scope is intentionally narrow; the policy doc mentions other companion files (dependabot-automerge.yml, dependency-audit.yml, dependabot-rebase.yml) but those are out of scope for the specific missing-github-actions-ecosystem audit finding being closed here.

CI status

All checks green:

  • ✅ CodeQL — Analyze (actions): SUCCESS
  • ✅ CodeQL: SUCCESS
  • ✅ CodeRabbit: SUCCESS (the visible CodeRabbit comment is a rate-limit notice on its own review service, not a failed check)
  • ✅ SonarQube Cloud quality gate: passed (0 new issues, 0 hotspots)

mergeStateStatus is BLOCKED only because REVIEW_REQUIRED was outstanding; merge itself is MERGEABLE.

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 13, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@don-petry don-petry merged commit d081939 into main May 13, 2026
17 checks passed
@don-petry don-petry deleted the claude/issue-53-20260508-1409 branch May 13, 2026 16:28
donpetry-bot
donpetry-bot approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@donpetry-bot donpetry-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: ef2ed489939d67a3cea3be802c7cb6f5316d81e7
Review mode: triage-approved (single reviewer)

Summary

Adds a new .github/dependabot.yml (11 lines, 1 file) with a single github-actions ecosystem entry. The configuration matches the org dependabot-policy.md GitHub Actions template verbatim — weekly schedule, open-pull-requests-limit: 10, and labels security + dependencies. No code, workflows, secrets, or runtime behavior are affected; this is config-only and confined to Dependabot's view of CI actions.

This is a triage-approved confirmation review. The prior approval at 385dde66f5d9f072ddfee3ca0bceba10acbdcf0d is still valid — the only commit added since is ef2ed48 ("ci: retrigger checks"), an empty commit that touches no files. The previous risk assessment of LOW remains correct.

Linked issue analysis

Closes #53Compliance: missing-github-actions-ecosystem. The audit finding asked for a github-actions ecosystem entry per the standard; the new file adds exactly that with the prescribed parameters. The fix is scoped precisely to the audit finding — no scope creep into the other companion files mentioned by the policy doc (dependabot-automerge.yml, dependency-audit.yml, dependabot-rebase.yml), which are out of scope for this specific finding.

Findings

No blocking or non-blocking findings.

  • Config keys, values, and labels match the org GitHub Actions template verbatim.
  • directory: "/" is correct for the github-actions ecosystem — Dependabot scans .github/workflows/ from the repo root regardless of this value.
  • The no-op ci: retrigger checks commit does not change the diff under review.

CI status

All checks green at the current SHA:

  • ✅ CodeQL — Analyze (actions): SUCCESS
  • ✅ CodeQL: SUCCESS
  • ✅ AgentShield: SUCCESS
  • ✅ Claude Code: SUCCESS
  • ✅ CodeRabbit status: SUCCESS (the visible CodeRabbit comment is a rate-limit notice on its own review service, not a failed check)
  • ✅ SonarCloud / SonarQube Cloud quality gate: passed (0 new issues, 0 hotspots)
  • ✅ Tests (unit-tests): SUCCESS
  • ✅ Dependency audit — ecosystem detection: SUCCESS

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

This was referenced May 16, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@donpetry-bot donpetry-bot donpetry-bot approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Compliance: missing-github-actions-ecosystem

3 participants

@don-petry @donpetry-bot