chore(deps): consolidate Dependabot config and enable devcontainer feature updates#5015
Merged
Conversation
… actions - Merge the two docker ecosystem entries into one via directories list - Add devcontainers ecosystem to update features in devcontainer.json - Group additional github-actions vendors (docker, codeql, reviewdog, gittools) Co-Authored-By: Claude Opus 4.8 <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates repository maintenance automation by consolidating Dependabot configuration and adding Dependabot support for Dev Container feature updates, alongside introducing a devcontainer lockfile for reproducible feature resolution.
Changes:
- Consolidates Docker Dependabot updates into a single entry spanning multiple directories and aligns labels/commit-message prefixes.
- Expands GitHub Actions grouping patterns to cover additional action vendors used across workflows.
- Adds Dev Container feature updating via Dependabot and introduces
devcontainer-lock.jsonwhile unpinning feature tags indevcontainer.json.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 12 comments.
| File | Description |
|---|---|
.github/dependabot.yml |
Consolidates Docker updates, expands GitHub Actions grouping, and adds devcontainers ecosystem updates. |
.devcontainer/devcontainer.json |
Unpins Dev Container feature tags to rely on lockfile-driven version resolution. |
.devcontainer/devcontainer-lock.json |
Adds a lockfile pinning feature versions/digests for reproducible Dev Container builds and updates. |
Unpin feature tags and add devcontainer-lock.json with resolved versions and digests, required for the devcontainers Dependabot ecosystem. Co-Authored-By: Claude Opus 4.8 <[email protected]>
f5be065 to
bc9e255
Compare
|
Contributor
|
Thank you @arturcic for your contribution! |
This was referenced Jul 3, 2026
This was referenced Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



What
Consolidates the Dependabot configuration and wires up automated updates for devcontainer features.
.github/dependabot.ymldockerecosystem entries into one using adirectories:list (/.devcontainer,/build/docker) — they had identical daily schedules. Also added thelabels/commit-messageprefix the other ecosystems already carry.devcontainersecosystem so thefeatures:indevcontainer.json(ghcr.io/devcontainers/features/*,eitsupi/...) get updated. The existingdockerentry only bumped theFROMin the Dockerfile.actions/*, now alsodocker/*,github/codeql-action/*,reviewdog/*, andgittools/*, based on the actions actually used across the workflows. Single-use actions (harden-runner, scorecard, codecov, etc.) are left ungrouped intentionally so they stay easy to review..devcontainer/devcontainer-lock.jsonwith resolved versions + digests and unpin the feature tags — required for thedevcontainersDependabot ecosystem to track and bump features.Note
The unpinned feature tags rely on
devcontainer-lock.jsonfor version resolution. Worth rebuilding the devcontainer once to confirm features still resolve as expected.🤖 Generated with Claude Code