ci(dependabot): declare only ecosystems consumers have; make extras opt-in#166
Conversation
…pt-in go-app drops npm + devcontainers (kept: gomod, github-actions, docker). go-lib drops docker (kept: gomod, github-actions). Consumers that lack a manifest for a declared ecosystem fail their Dependabot run with dependency_file_not_found. Repos that genuinely have package.json / Dockerfile / devcontainer opt back in via their own dependabot.yml + an intentional-drift entry (documented in each template header). Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the Dependabot configurations for both the go-app and go-lib templates. It removes optional package ecosystems (npm and devcontainers for go-app, and docker for go-lib) from the active updates list and documents them as commented-out opt-in examples instead. This prevents Dependabot runs from failing when the corresponding manifest files are not present. The reviewer suggests using block style instead of flow style (inline JSON-like syntax) for these commented-out configuration examples to improve readability and maintain consistency with the rest of the YAML files.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR updates the Dependabot templates for go-app and go-lib to only declare package ecosystems that each consumer repo is guaranteed to have, preventing dependency_file_not_found failures in scheduled Dependabot runs across the fleet.
Changes:
go-libtemplate now declares onlygomodandgithub-actionsupdates by default (removesdocker).go-apptemplate now declares onlygomod,github-actions, anddockerupdates by default (removesnpmanddevcontainers).- Adds clear header documentation explaining why “extra” ecosystems are opt-in and how to use
intentional-driftto manage repo-specific additions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| templates/go-lib/.github/dependabot.yml | Removes default docker updates and documents opt-in procedure to avoid missing-manifest failures. |
| templates/go-app/.github/dependabot.yml | Removes default npm and devcontainers updates, keeping only guaranteed ecosystems and documenting opt-in procedure. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Multi-line block style is easier for consumers to uncomment and edit than inline flow style. Comments only; no change to active config. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
|
Follow-up to netresearch/.github#166, which trimmed the `go-app` template's dependabot.yml to the universally-present ecosystems (gomod, github-actions, docker). This repo has a package.json (bun/TypeScript frontend), so it keeps the `npm` ecosystem by self-managing `.github/dependabot.yml` and listing it under `intentional-drift:` in `.github/template.yaml`. Also drops the ecosystem this repo has no manifest for (was failing Dependabot with `dependency_file_not_found`). Core blocks (gomod/github-actions/docker) stay in step with the template manually. ## Test plan - [ ] After merge: `event=dynamic` Dependabot runs go green (no `dependency_file_not_found`).
) Follow-up to netresearch/.github#166, which trimmed the `go-app` template's dependabot.yml to the universally-present ecosystems (gomod, github-actions, docker). This repo has a .devcontainer, so it keeps the `devcontainers` ecosystem by self-managing `.github/dependabot.yml` and listing it under `intentional-drift:` in `.github/template.yaml`. Also drops the ecosystem this repo has no manifest for (was failing Dependabot with `dependency_file_not_found`). Core blocks (gomod/github-actions/docker) stay in step with the template manually. ## Test plan - [ ] After merge: `event=dynamic` Dependabot runs go green (no `dependency_file_not_found`).
Several consumers fail their weekly Dependabot runs with
dependency_file_not_foundbecause the templates declare ecosystems the repo has no manifest for. (Surfaced when thecooldownsync PRs merged and triggered immediate re-runs — thecooldownchange itself is valid and unrelated.)Manifest reality across the fleet
Failing runs observed: npm in ofelia/ldap-manager/raybeam (no
package.json), devcontainers in raybeam (no devcontainer), docker in simple-ldap-go (noDockerfile).Change
gomod + github-actions + docker(all go-app repos ship a Dockerfile). Dropsnpm+devcontainers.gomod + github-actions. Dropsdocker(libraries have no Dockerfile).cooldown: default-days: 7preserved on every remaining ecosystem.intentional-driftprocedure for repos that genuinely have the extra manifest.Follow-up after this merges (consumer side)
Opt-ins (preserve currently-working coverage — add the ecosystem to the repo dependabot.yml + list
.github/dependabot.ymlunderintentional-drift:):ldap-selfservice-password-changer→ npmldap-manager→ devcontainersofelia→ devcontainersPlain re-sync drops the dead ecosystems (no opt-in needed):
raybeam(npm + devcontainers),simple-ldap-go(docker),go-cron(docker already absent)Test plan
event=dynamicDependabot runs go green (nodependency_file_not_found).