Skip to content

chore: add Dependabot config for cargo, npm, github-actions#8

Merged
StefanSteiner merged 1 commit into
tableau:mainfrom
StefanSteiner:ssteiner/add-dependabot
May 18, 2026
Merged

chore: add Dependabot config for cargo, npm, github-actions#8
StefanSteiner merged 1 commit into
tableau:mainfrom
StefanSteiner:ssteiner/add-dependabot

Conversation

@StefanSteiner
Copy link
Copy Markdown
Contributor

@StefanSteiner StefanSteiner commented May 18, 2026

Add Dependabot

Summary

Replaces the manual ''remember to run `cargo search` every few months'' workflow with weekly automated PRs across the three ecosystems this repo uses (Cargo, npm, GitHub Actions). Single config file: `.github/dependabot.yml`.

This is a workflow change, not a dep change — the actual upgrade choices still happen in human-authored review of each Dependabot PR.

Config choices and reasoning

Weekly cadence on every ecosystem

Daily generates churn that crowds out human PRs; monthly misses urgent advisories. Weekly is the standard middle ground.

`open-pull-requests-limit` per ecosystem

Ecosystem Limit
cargo 5
npm 3
github-actions 3

Caps the firehose on first activation and on backlog catch-ups. Without a limit, the very first Dependabot run after merging this PR would open a PR per outdated dep simultaneously.

`groups` for lockstep dep families

Four cargo groups defined so logically-paired bumps arrive as a single PR rather than three to six separate ones:

Group Members Why grouped
`tonic-prost` `tonic*`, `prost*` gRPC stack always moves together.
`arrow-parquet` `arrow`, `parquet` arrow-rs ships them at the same version.
`rustcrypto` `sha2`, `hmac`, `pbkdf2`, `md-5` RustCrypto traits move in lockstep — PR #6 commit 3 bumped them as one commit.
`napi-rs` `napi`, `napi-derive`, `napi-build` napi-rs ships runtime + derive macro + build helper together.

This mirrors how PR #6 (the dep refresh) handled these families, so future Dependabot PRs follow the same shape we'd write by hand.

`ignore` entries skip semver-major bumps for deferred-major deps

Each entry below corresponds to a major migration we explicitly deferred per PR #6's ''Out of scope'' section. Patch and minor bumps still flow through unblocked — only majors are suppressed. The block comment in the file says: remove an entry when we're ready to take that major.

Dep family Reason ignored
`arrow`, `parquet` 58 → 59 touches public re-export surface; needs dedicated audit.
`tonic`, `tonic-build`, `tonic-prost`, `tonic-prost-build`, `prost`, `prost-types` 0.14 → 0.15 touches the wire-protocol layer.
`rmcp` 1 → 2 reworks tool-attribute / handler API.
`napi`, `napi-derive`, `napi-build` 3 → 4 changes macro surface and N-API runtime floor.

npm scope is `/hyperdb-api-node` only

Other `package.json` files in the tree (`/package.json`, `hyperdb-mcp/npm/`, `hyperdb-api-node/npm/`) are platform-binding shells whose deps are generated prebuild artifacts, not real upgradable packages. Pointing Dependabot at them yields no real PRs.

GitHub Actions scope covers all workflows

Future action-major bumps surface here automatically. PR #6 just bumped `cache@v5`, `release-please-action@v5`, `action-gh-release@v3` by hand — that won't be needed next time.

What you'll see after merge

  • Within a few hours of merging, GitHub will activate Dependabot and start opening PRs.
  • The first wave will be patch/minor bumps for any deps that have drifted since PR chore(deps): refresh Rust + npm + GHA dependencies #6 (probably a small list, since chore(deps): refresh Rust + npm + GHA dependencies #6 just floored everything to current).
  • Each PR is signed by Dependabot's own bot identity (signed via GitHub's web-flow key — they show as Verified).
  • The `commit-message: prefix: ''chore(deps)''` setting means PR titles match the conventional-commit style release-please expects, so they don't accidentally trigger version bumps.

Out of scope

  • Dependabot security updates — these are GitHub-side and on by default; no config needed in this PR.
  • Auto-merge for low-risk patch bumps — possible via a separate workflow but adds infrastructure surface; defer until we see whether the volume warrants it.
  • Re-enabling deferred majors — done in follow-up PRs by removing the corresponding `ignore` entry. Each major still gets its own audit.

Test plan

  • Merge this PR.
  • Watch GitHub's Insights → Dependency graph → Dependabot tab for any config-parse errors. (Local YAML validation passed; this is the authoritative gate.)
  • Within ~24h, observe Dependabot opening its first PRs. Confirm:
    • Cargo group PRs (e.g. `tonic-prost` family) bundle correctly.
    • npm PRs target only `hyperdb-api-node`.
    • github-actions PRs surface for any drifted action versions.
    • No PR proposes a major bump for an ignored dep.
  • If anything is wrong, iterate on `.github/dependabot.yml` in a follow-up PR.

@StefanSteiner
chore: add Dependabot config for cargo, npm, github-actions
5c6fe7d 
Replaces "remember to run cargo search every few months" with weekly
automated PRs across the three ecosystems this repo uses.

Configuration choices and why:

- **Weekly cadence.** Daily generates churn that crowds out human PRs;
  monthly misses urgent advisories.

- **`open-pull-requests-limit`** capped per ecosystem (cargo: 5, npm: 3,
  gha: 3) to prevent an avalanche on first activation and on backlog
  catch-ups.

- **`groups`** for lockstep dep families. Bumping `tonic` without
  `prost` is rarely useful, and arrow-rs ships `arrow` and `parquet`
  together at the same version. The four groups defined are:
  - `tonic-prost` (tonic*, prost*)
  - `arrow-parquet` (arrow, parquet)
  - `rustcrypto` (sha2, hmac, pbkdf2, md-5)
  - `napi-rs` (napi, napi-derive, napi-build)

  These mirror the way the dep-refresh PR (tableau#6) treated them as
  single logical bumps.

- **`ignore`** entries skip semver-major bumps for deps whose major
  migration was explicitly deferred (see PR tableau#6's "Out of scope"
  section). Patch and minor bumps still flow through. Each entry is
  removed when we're ready to take that major. The list:
  - arrow, parquet                 (58 → 59 audit)
  - tonic, tonic-build,
    tonic-prost, tonic-prost-build,
    prost, prost-types             (0.14 → 0.15 audit)
  - rmcp                           (1 → 2 audit)
  - napi, napi-derive, napi-build  (3 → 4 audit, ties to napi runtime)

- **npm scope** is `/hyperdb-api-node` only. The other package.json
  files in the tree are platform-binding shells whose deps are
  generated artifacts; pointing Dependabot at them yields no real
  upgrades.

- **GitHub Actions scope** covers all `.github/workflows/*.yml` `uses:`
  references. The dep-refresh PR (tableau#6) just bumped cache@v5,
  release-please@v5, action-gh-release@v3; future majors will surface
  here automatically.
@StefanSteiner StefanSteiner merged commit 53f3a01 into tableau:main May 18, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@StefanSteiner