Group Dependabot updates into weekly per-ecosystem grouped PRs

[wallstop]

Description

Reduces Dependabot noise by batching dependency updates into weekly, per-ecosystem grouped PRs and adds schema validation infrastructure to prevent invalid Dependabot v2 configuration from being committed.

What changed:

• .github/dependabot.yml — Fixed to use valid Dependabot v2 syntax: restored the required schedule: {interval: weekly} block on all three entries (github-actions, nuget, npm), replaced the non-existent multi-ecosystem-groups/multi-ecosystem-group keys and misplaced patterns: with the correct groups: {all-dependencies: {patterns: ["*"]}} block nested inside each entry. Note: Dependabot v2 does not support cross-ecosystem grouping; updates from different ecosystems are always separate PRs, but updates within each ecosystem are now batched into a single PR.

• scripts/lint-dependabot.ps1 — New structural validator for .github/dependabot.yml that validates all provided paths (not just the first), and detects seven named error codes:

  • DEP001 — Root-level version: 2 is missing or does not appear before the updates: section (scanning stops only at updates:, not at other valid top-level keys like registries:); accepts bare 2, double-quoted "2", single-quoted '2', and optional trailing inline comments; a nested version: 2 inside another block does not satisfy this check
  • DEP002 — Invalid multi-ecosystem-groups: top-level key
  • DEP003 — Invalid multi-ecosystem-group: inside an entry
  • DEP004 — patterns: at entry level instead of inside groups:
  • DEP005 — An entry missing a schedule: block
  • DEP006 — A groups: entry missing patterns: (reported at the group item's declaration line, not the parser's current position)
  • DEP007 — No updates: section found in the configuration (a file with only version: 2 and no updates: block is now an explicit error)

• scripts/tests/test-lint-dependabot.ps1 — 20 tests covering all error codes, multi-path validation, DEP001 position enforcement, DEP001 false-positive prevention for non-version: top-level keys, DEP001 root-level enforcement (nested version: 2 must not satisfy check), DEP001 tolerance for all valid YAML scalar forms (version: 2, version: "2", version: '2', version: 2 # comment), DEP006 line-number accuracy, comment-in-groups regression, missing updates: section detection (DEP007), and a regression test against the exact broken config that prompted this fix. All pass. Linter invocations in test helpers are wrapped in try/catch so unexpected exceptions are reported as failed tests and never abort the suite (matching the test-lint-odin-undo-safety.ps1 pattern).

• .github/workflows/dependabot-lint.yml — CI workflow (following the odin-undo-safety-lint.yml pattern: shell: pwsh, paths: filter, permissions: contents: read at workflow level) that runs tests then lint on every relevant change.

• package.json — Added lint:dependabot and test:lint-dependabot scripts; wired into validate:content and validate:tests respectively.

• .githooks/pre-commit — Added section 8b: runs lint-dependabot.ps1 when dependabot.yml is staged, catching schema errors at commit time.

• LLM documentation — Updated linter-reference.md, formatting-and-linting.md, and context.md to document the new command and pre-commit step.

Validator improvements (from review feedback):

• All paths provided to lint-dependabot.ps1 are now validated (not just the first match); errors are prefixed with the filename when multiple files are checked.
• DEP001 now enforces that version: 2 appears before updates:, scanning past any other top-level key (e.g. registries:) without false-triggering. Only reaching updates: without having seen version: 2 fails the check.
• DEP001 regex anchored to YAML root (^version\s*:) so a version: 2 value nested inside another block (e.g. under registries:) cannot satisfy the check.
• DEP001 regex loosened to accept all valid YAML scalar forms: unquoted (version: 2), double-quoted (version: "2"), single-quoted (version: '2'), and any of the above with a trailing inline comment (e.g. version: 2 # required by Dependabot v2).
• New DEP007 error emitted when the updates: section is completely absent from the file.
• DEP006 now tracks a $groupsItemLineNumber variable set at each named group item's declaration line; all four emission sites report that line instead of the parser's current position, giving actionable error locations.
• Per-group state ($inGroupsItem, $groupsItemHasPatterns, $groupsItemLineNumber) is now unconditionally reset whenever the parser leaves the groups: block — not just on the error path — keeping parser state clean regardless of whether the previous group had patterns:.
• Blank lines and # comment lines inside groups: blocks are explicitly skipped so they cannot trigger false DEP006 errors; named group item detection is tightened to ^\s{6}[A-Za-z0-9_.~-]+\s*:.
• Write-Info is used in test helpers to log fixture paths when -VerboseOutput is active.
• The unary comma in return , $fileErrors is documented: without it, PowerShell enumerates the List[string] in the pipeline and an empty list becomes $null, which throws under Set-StrictMode -Version Latest when .Count is accessed.
• The PS7-only ternary exit ($totalErrors -gt 0 ? 1 : 0) is replaced with a PS5.1-compatible if/else — required because the pre-commit hook invokes the script via powershell (Windows PowerShell 5.1) as a fallback when pwsh is absent.

Related Issue

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Refactor (code change that neither fixes a bug nor adds a feature)

Checklist

• I have added tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have updated the CHANGELOG
• My changes do not introduce breaking changes, or breaking changes are documented

[Copilot]

Pull request overview

Updates Dependabot configuration to reduce PR noise by batching dependency updates into a weekly, cross-ecosystem grouped workflow (GitHub Actions, NuGet, npm).

Changes:

• Adds a multi-ecosystem-groups section and assigns all update ecosystems to a single all-dependencies group.
• Switches cadence from daily to weekly (intended via the new group schedule).
• Broadens update matching with patterns: ["*"] for each ecosystem.

[wallstop]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any of it is relevant, and if it is, provide a comprehensive implementation to address the identified issues and any similar issues? Consider automation, such as tests or githooks to help prevent this category of issue. Please add additional diagnostics to help understand the issue(s). Consider simplifying if there are too many overlapping concerns, too much complexity, or too much fragility. When changing files, make sure we abide by repo guidelines and rules. If there is any new knowledge learned, be sure to update llm info appropriately.

The goal is to understand why the issues are happening, understand the root caus(es), apply relevant fixes, and create infrastructure such that the entire category of issues can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

If the feedback is relevant, when addressing it, consider the code base as a whole. Are there other files or code areas that this could apply to? If so, do a sweep of those to see if they exhibit similar issues, and if they do, apply similar, appropriate fixes. The idea is to prevent the entire concept and class of issue from happening in the future.

The goal is to understand why feedback is being given, understand the root cause of the feedback, apply relevant fixes, and create infrastructure such that the issues the feedback uncovered can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

Feel free to do web searches to understand modern techniques, approaches, and best practices to this and any similar issues.

Please use sub-agents to accomplish these goals. Once a sub-agent is done, have another sub-agent review its work in an adversarial fashion. If there are any recommendations, have another sub-agent consider them and implement them. Repeat this process in a loop until all sub-agents achieve consensus that the result is incredibly high quality (110/100, exceptional work, absolutely zero issues, minor or otherwise) and does not require any revisions. I want 110% here, give it all you've got!

[Copilot]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any o...

All reviewer feedback was valid — here's what was done to address it comprehensively:

Root cause: The previous commit used three Dependabot v2 keys that don't exist in the spec (multi-ecosystem-groups, multi-ecosystem-group, patterns at the entry level) and accidentally dropped schedule: from all three entries.

Fixes applied (commit a9fa10b):

1. .github/dependabot.yml — Replaced all invalid keys with the correct Dependabot v2 structure: schedule: {interval: weekly} restored on each entry, and groups: {all-dependencies: {patterns: ["*"]}} correctly nested inside each entry. (Cross-ecosystem grouping into a single PR is not supported by Dependabot v2; per-ecosystem grouping is.)

2. scripts/lint-dependabot.ps1 — New validator with 6 error codes (DEP001–DEP006) that detects: missing version: 2, the two invalid key names, patterns: at the wrong nesting level, missing schedule: blocks, and groups: entries without patterns:.

3. scripts/tests/test-lint-dependabot.ps1 — 9 tests covering every error code plus a regression test against the exact broken config we shipped. All pass.

4. .github/workflows/dependabot-lint.yml — CI workflow matching the repo's PowerShell workflow pattern (shell: pwsh, paths: filter, permissions: contents: read at workflow level, test step before lint step — same as odin-undo-safety-lint.yml).

5. package.json — lint:dependabot and test:lint-dependabot wired into validate:content and validate:tests respectively.

6. .githooks/pre-commit — Section 8b runs the schema lint whenever dependabot.yml is staged.

7. LLM docs updated — linter-reference.md, formatting-and-linting.md, and context.md all reflect the new command.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

[wallstop]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any of it is relevant, and if it is, provide a comprehensive implementation to address the identified issues and any similar issues? Consider automation, such as tests or githooks to help prevent this category of issue. Please add additional diagnostics to help understand the issue(s). Consider simplifying if there are too many overlapping concerns, too much complexity, or too much fragility. When changing files, make sure we abide by repo guidelines and rules. If there is any new knowledge learned, be sure to update llm info appropriately.

The goal is to understand why the issues are happening, understand the root caus(es), apply relevant fixes, and create infrastructure such that the entire category of issues can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

If the feedback is relevant, when addressing it, consider the code base as a whole. Are there other files or code areas that this could apply to? If so, do a sweep of those to see if they exhibit similar issues, and if they do, apply similar, appropriate fixes. The idea is to prevent the entire concept and class of issue from happening in the future.

The goal is to understand why feedback is being given, understand the root cause of the feedback, apply relevant fixes, and create infrastructure such that the issues the feedback uncovered can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

Feel free to do web searches to understand modern techniques, approaches, and best practices to this and any similar issues.

Please use sub-agents to accomplish these goals. Once a sub-agent is done, have another sub-agent review its work in an adversarial fashion. If there are any recommendations, have another sub-agent consider them and implement them. Repeat this process in a loop until all sub-agents achieve consensus that the result is incredibly high quality (110/100, exceptional work, absolutely zero issues, minor or otherwise) and does not require any revisions. I want 110% here, give it all you've got!

[Copilot]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any o...

All four reviewer comments addressed in commit 38536b7:

1. Multi-path support (Paths array validated in full): Refactored into a Get-DependabotErrors function. All provided paths are now validated and errors reported for each. New tests: Pass_MultipleValidFiles and Fail_MultipleFilesOneInvalid.

2. Wrong comment fixed: "two levels up from scripts/" → "one level up from scripts/".

3. DEP001 position enforcement: Now only scans lines before updates:. version: 2 placed after updates: triggers DEP001. Error message updated to match. Pattern tightened from '^[a-z]' to '^[a-z][a-z-]*\s*:' to only match actual YAML keys (not arbitrary content). Explicit parentheses added to all boolean conditions. New test: Fail_VersionAfterUpdates.

4. Write-Info used: Called inside Invoke-LintOnContent and the new Invoke-LintOnTwoContents to log fixture paths when -VerboseOutput is active.

On the comma operator (return , $fileErrors): Kept with a 5-line explanatory comment. Empirically verified that return $list on an empty List[string] returns $null in PowerShell — which throws under Set-StrictMode -Version Latest when .Count is accessed — while return , $list correctly returns the list object with .Count = 0.

Test count: 9 → 12, all pass.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

[wallstop]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any of it is relevant, and if it is, provide a comprehensive implementation to address the identified issues and any similar issues? Consider automation, such as tests or githooks to help prevent this category of issue. Please add additional diagnostics to help understand the issue(s). Consider simplifying if there are too many overlapping concerns, too much complexity, or too much fragility. When changing files, make sure we abide by repo guidelines and rules. If there is any new knowledge learned, be sure to update llm info appropriately.

The goal is to understand why the issues are happening, understand the root caus(es), apply relevant fixes, and create infrastructure such that the entire category of issues can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

If the feedback is relevant, when addressing it, consider the code base as a whole. Are there other files or code areas that this could apply to? If so, do a sweep of those to see if they exhibit similar issues, and if they do, apply similar, appropriate fixes. The idea is to prevent the entire concept and class of issue from happening in the future.

The goal is to understand why feedback is being given, understand the root cause of the feedback, apply relevant fixes, and create infrastructure such that the issues the feedback uncovered can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

Feel free to do web searches to understand modern techniques, approaches, and best practices to this and any similar issues.

Please use sub-agents to accomplish these goals. Once a sub-agent is done, have another sub-agent review its work in an adversarial fashion. If there are any recommendations, have another sub-agent consider them and implement them. Repeat this process in a loop until all sub-agents achieve consensus that the result is incredibly high quality (110/100, exceptional work, absolutely zero issues, minor or otherwise) and does not require any revisions. I want 110% here, give it all you've got!

[Copilot]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any o...

Both comments addressed in commit afb71bf:

1. False DEP006 from comment lines (line 162-170): Tightened the named-group detection from ^ [^\s] to ^\s{6}[A-Za-z0-9_.~-]+\s*: so only actual YAML keys are treated as group items. Blank lines and # comment lines inside the groups block are now explicitly skipped. New test: Pass_GroupsWithComments confirms no false DEP006 when comments are present inside a groups block.

2. PS7-only ternary operator (line 272): Replaced exit ($totalErrors -gt 0 ? 1 : 0) with a PS5.1-compatible if/else. Also audited all other scripts invoked via the powershell fallback in the hooks — lint-dependabot.ps1 was the only one using the ternary.

Test count: 12 → 13. All 13 pass.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

[wallstop]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any of it is relevant, and if it is, provide a comprehensive implementation to address the identified issues and any similar issues? Consider automation, such as tests or githooks to help prevent this category of issue. Please add additional diagnostics to help understand the issue(s). Consider simplifying if there are too many overlapping concerns, too much complexity, or too much fragility. When changing files, make sure we abide by repo guidelines and rules. If there is any new knowledge learned, be sure to update llm info appropriately.

The goal is to understand why the issues are happening, understand the root caus(es), apply relevant fixes, and create infrastructure such that the entire category of issues can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

If the feedback is relevant, when addressing it, consider the code base as a whole. Are there other files or code areas that this could apply to? If so, do a sweep of those to see if they exhibit similar issues, and if they do, apply similar, appropriate fixes. The idea is to prevent the entire concept and class of issue from happening in the future.

The goal is to understand why feedback is being given, understand the root cause of the feedback, apply relevant fixes, and create infrastructure such that the issues the feedback uncovered can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

Feel free to do web searches to understand modern techniques, approaches, and best practices to this and any similar issues.

Please use sub-agents to accomplish these goals. Once a sub-agent is done, have another sub-agent review its work in an adversarial fashion. If there are any recommendations, have another sub-agent consider them and implement them. Repeat this process in a loop until all sub-agents achieve consensus that the result is incredibly high quality (110/100, exceptional work, absolutely zero issues, minor or otherwise) and does not require any revisions. I want 110% here, give it all you've got!

[Copilot]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any o...

Both comments addressed in commit 87f936a:

1. Groups-block state reset (lint-dependabot.ps1:195-202): $inGroupsItem, $groupsItemHasPatterns, and $groupsItemLineNumber are now unconditionally reset whenever the parser leaves the groups block, not just on the error path. This ensures subsequent sections always see clean state regardless of whether the previous group had patterns: or not.

2. Per-test try/catch in helpers (test-lint-dependabot.ps1:76-101): Both Invoke-LintOnContent and Invoke-LintOnTwoContents now wrap the & $lintScriptPath call in try/catch. On exception, they return @{ ExitCode = -1; Output = "Exception invoking linter: $_" }, so the Write-TestResult call at each call site still runs and the suite summary/exit-code are always reported. This matches the pattern in test-lint-odin-undo-safety.ps1.

All 15 tests pass.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

[wallstop]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any of it is relevant, and if it is, provide a comprehensive implementation to address the identified issues and any similar issues? Consider automation, such as tests or githooks to help prevent this category of issue. Please add additional diagnostics to help understand the issue(s). Consider simplifying if there are too many overlapping concerns, too much complexity, or too much fragility. When changing files, make sure we abide by repo guidelines and rules. If there is any new knowledge learned, be sure to update llm info appropriately.

The goal is to understand why the issues are happening, understand the root caus(es), apply relevant fixes, and create infrastructure such that the entire category of issues can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

If the feedback is relevant, when addressing it, consider the code base as a whole. Are there other files or code areas that this could apply to? If so, do a sweep of those to see if they exhibit similar issues, and if they do, apply similar, appropriate fixes. The idea is to prevent the entire concept and class of issue from happening in the future.

The goal is to understand why feedback is being given, understand the root cause of the feedback, apply relevant fixes, and create infrastructure such that the issues the feedback uncovered can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

Feel free to do web searches to understand modern techniques, approaches, and best practices to this and any similar issues.

Please use sub-agents to accomplish these goals. Once a sub-agent is done, have another sub-agent review its work in an adversarial fashion. If there are any recommendations, have another sub-agent consider them and implement them. Repeat this process in a loop until all sub-agents achieve consensus that the result is incredibly high quality (110/100, exceptional work, absolutely zero issues, minor or otherwise) and does not require any revisions. I want 110% here, give it all you've got!

[Copilot]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any o...

Fixed in commit dbe5b4f.

The DEP001 version: regex was tightened to '^\s*version\s*:\s*["']?2["']?\s*(#.*)?$' (double-quote, single-quote, or unquoted 2, with optional trailing # … comment). Three new tests added: Pass_VersionWithTrailingComment, Pass_VersionQuoted (version: "2"), and Pass_VersionSingleQuoted (version: '2'). All 18 tests pass.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

[wallstop]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any of it is relevant, and if it is, provide a comprehensive implementation to address the identified issues and any similar issues? Consider automation, such as tests or githooks to help prevent this category of issue. Please add additional diagnostics to help understand the issue(s). Consider simplifying if there are too many overlapping concerns, too much complexity, or too much fragility. When changing files, make sure we abide by repo guidelines and rules. If there is any new knowledge learned, be sure to update llm info appropriately.

The goal is to understand why the issues are happening, understand the root caus(es), apply relevant fixes, and create infrastructure such that the entire category of issues can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

If the feedback is relevant, when addressing it, consider the code base as a whole. Are there other files or code areas that this could apply to? If so, do a sweep of those to see if they exhibit similar issues, and if they do, apply similar, appropriate fixes. The idea is to prevent the entire concept and class of issue from happening in the future.

The goal is to understand why feedback is being given, understand the root cause of the feedback, apply relevant fixes, and create infrastructure such that the issues the feedback uncovered can not be made again. I'm only interested in general, complete fixes. I want to avoid fragility and make these checks extremey robust and reliable.

Feel free to do web searches to understand modern techniques, approaches, and best practices to this and any similar issues.

Please use sub-agents to accomplish these goals. Once a sub-agent is done, have another sub-agent review its work in an adversarial fashion. If there are any recommendations, have another sub-agent consider them and implement them. Repeat this process in a loop until all sub-agents achieve consensus that the result is incredibly high quality (110/100, exceptional work, absolutely zero issues, minor or otherwise) and does not require any revisions. I want 110% here, give it all you've got!

[Copilot]

@copilot apply changes based on the comments in this thread

Can you parse through the feedback, determine if any o...

All three comments addressed in commit 09ef0d3:

1. DEP001 root anchor — Regex changed from ^\s*version\s*: to ^version\s*: so a nested version: 2 (e.g. inside a registries: block) cannot satisfy DEP001. New test: Fail_NestedVersionDoesNotSatisfyDEP001.

2. Missing updates: section — New DEP007 error: No "updates:" section found; a valid Dependabot v2 config must have at least one entry. Emitted when $inUpdates is never set to $true after scanning the whole file. New test: Fail_MissingUpdatesSection.

3. Script + test documentation updated — DEP007 added to the error-code table in the script synopsis; test description updated with both new test cases.

Test count: 18 → 20. All pass.

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated no new comments.