Skip to content

chore(deps): consolidate Dependabot config and enable devcontainer feature updates#5015

Merged
arturcic merged 2 commits into
mainfrom
chore/dependabot-consolidate
Jul 2, 2026
Merged

chore(deps): consolidate Dependabot config and enable devcontainer feature updates#5015
arturcic merged 2 commits into
mainfrom
chore/dependabot-consolidate

Conversation

@arturcic

@arturcic arturcic commented Jul 2, 2026

Copy link
Copy Markdown
Member

What

Consolidates the Dependabot configuration and wires up automated updates for devcontainer features.

.github/dependabot.yml

  • Merge the two docker ecosystem entries into one using a directories: list (/.devcontainer, /build/docker) — they had identical daily schedules. Also added the labels/commit-message prefix the other ecosystems already carry.
  • Add a devcontainers ecosystem so the features: in devcontainer.json (ghcr.io/devcontainers/features/*, eitsupi/...) get updated. The existing docker entry only bumped the FROM in the Dockerfile.
  • Group more github-actions vendors — beyond actions/*, now also docker/*, github/codeql-action/*, reviewdog/*, and gittools/*, based on the actions actually used across the workflows. Single-use actions (harden-runner, scorecard, codecov, etc.) are left ungrouped intentionally so they stay easy to review.

.devcontainer/

  • Add devcontainer-lock.json with resolved versions + digests and unpin the feature tags — required for the devcontainers Dependabot ecosystem to track and bump features.

Note

The unpinned feature tags rely on devcontainer-lock.json for version resolution. Worth rebuilding the devcontainer once to confirm features still resolve as expected.

🤖 Generated with Claude Code

… actions

- Merge the two docker ecosystem entries into one via directories list
- Add devcontainers ecosystem to update features in devcontainer.json
- Group additional github-actions vendors (docker, codeql, reviewdog, gittools)

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Copilot AI review requested due to automatic review settings July 2, 2026 13:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates repository maintenance automation by consolidating Dependabot configuration and adding Dependabot support for Dev Container feature updates, alongside introducing a devcontainer lockfile for reproducible feature resolution.

Changes:

  • Consolidates Docker Dependabot updates into a single entry spanning multiple directories and aligns labels/commit-message prefixes.
  • Expands GitHub Actions grouping patterns to cover additional action vendors used across workflows.
  • Adds Dev Container feature updating via Dependabot and introduces devcontainer-lock.json while unpinning feature tags in devcontainer.json.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 12 comments.

File Description
.github/dependabot.yml Consolidates Docker updates, expands GitHub Actions grouping, and adds devcontainers ecosystem updates.
.devcontainer/devcontainer.json Unpins Dev Container feature tags to rely on lockfile-driven version resolution.
.devcontainer/devcontainer-lock.json Adds a lockfile pinning feature versions/digests for reproducible Dev Container builds and updates.

Comment thread .devcontainer/devcontainer.json Outdated
Comment thread .devcontainer/devcontainer.json Outdated
Comment thread .devcontainer/devcontainer.json Outdated
Comment thread .devcontainer/devcontainer.json Outdated
Comment thread .devcontainer/devcontainer.json Outdated
Comment thread .devcontainer/devcontainer-lock.json Outdated
Comment thread .devcontainer/devcontainer-lock.json Outdated
Comment thread .devcontainer/devcontainer-lock.json Outdated
Comment thread .devcontainer/devcontainer-lock.json Outdated
Comment thread .devcontainer/devcontainer-lock.json Outdated
Unpin feature tags and add devcontainer-lock.json with resolved
versions and digests, required for the devcontainers Dependabot ecosystem.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
@arturcic arturcic force-pushed the chore/dependabot-consolidate branch from f5be065 to bc9e255 Compare July 2, 2026 14:13
@arturcic arturcic requested a review from Copilot July 2, 2026 14:13
@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comment thread .github/dependabot.yml
@arturcic arturcic added this to the 6.x milestone Jul 2, 2026
@arturcic arturcic added the dependencies Pull requests that update a dependency file label Jul 2, 2026
@arturcic arturcic merged commit 7522d5a into main Jul 2, 2026
123 checks passed
@arturcic arturcic deleted the chore/dependabot-consolidate branch July 2, 2026 14:42
@mergify

mergify Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Thank you @arturcic for your contribution!

This was referenced Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants