From 1184be4df5ce0ee2668789d02587e00e63ed9fb8 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 3 Jun 2026 11:35:34 +0200 Subject: [PATCH 1/2] ci(dependabot): declare only ecosystems consumers have; make extras opt-in go-app drops npm + devcontainers (kept: gomod, github-actions, docker). go-lib drops docker (kept: gomod, github-actions). Consumers that lack a manifest for a declared ecosystem fail their Dependabot run with dependency_file_not_found. Repos that genuinely have package.json / Dockerfile / devcontainer opt back in via their own dependabot.yml + an intentional-drift entry (documented in each template header). Signed-off-by: Sebastian Mendel --- templates/go-app/.github/dependabot.yml | 49 +++++++++++++------------ templates/go-lib/.github/dependabot.yml | 29 +++++++++------ 2 files changed, 42 insertions(+), 36 deletions(-) diff --git a/templates/go-app/.github/dependabot.yml b/templates/go-app/.github/dependabot.yml index 9f5d682..461f857 100644 --- a/templates/go-app/.github/dependabot.yml +++ b/templates/go-app/.github/dependabot.yml @@ -1,3 +1,28 @@ +# Managed by netresearch/.github/templates/go-app/ +# +# Declares only the ecosystems every go-app consumer is guaranteed to have: +# gomod, github-actions, and docker (all go-app repos ship a Dockerfile). +# +# npm and devcontainers are OPT-IN: a repo that actually has a package.json +# or a devcontainer adds the block below to its own dependabot.yml and lists +# `.github/dependabot.yml` under `intentional-drift:` in .github/template.yaml +# so the template sync stops managing the file. Declaring an ecosystem without +# its manifest makes the Dependabot run fail with `dependency_file_not_found`. +# +# Opt-in npm: +# - package-ecosystem: npm +# directory: / +# schedule: { interval: weekly, day: monday } +# open-pull-requests-limit: 5 +# groups: { npm: { patterns: ['*'] } } +# cooldown: { default-days: 7 } +# Opt-in devcontainers: +# - package-ecosystem: devcontainers +# directory: / +# schedule: { interval: weekly, day: monday } +# open-pull-requests-limit: 2 +# groups: { devcontainers: { patterns: ['*'] } } +# cooldown: { default-days: 7 } version: 2 updates: - package-ecosystem: gomod @@ -35,27 +60,3 @@ updates: patterns: ['*'] cooldown: default-days: 7 - - - package-ecosystem: npm - directory: / - schedule: - interval: weekly - day: monday - open-pull-requests-limit: 5 - groups: - npm: - patterns: ['*'] - cooldown: - default-days: 7 - - - package-ecosystem: devcontainers - directory: / - schedule: - interval: weekly - day: monday - open-pull-requests-limit: 2 - groups: - devcontainers: - patterns: ['*'] - cooldown: - default-days: 7 diff --git a/templates/go-lib/.github/dependabot.yml b/templates/go-lib/.github/dependabot.yml index 7e68e9f..e8badea 100644 --- a/templates/go-lib/.github/dependabot.yml +++ b/templates/go-lib/.github/dependabot.yml @@ -1,3 +1,20 @@ +# Managed by netresearch/.github/templates/go-lib/ +# +# Declares only the ecosystems every go-lib consumer is guaranteed to have: +# gomod and github-actions. Libraries don't ship a Dockerfile, so docker is +# NOT declared by default — declaring an ecosystem without its manifest makes +# the Dependabot run fail with `dependency_file_not_found`. +# +# docker (or npm/devcontainers) is OPT-IN: a library that genuinely has the +# manifest adds the block to its own dependabot.yml and lists +# `.github/dependabot.yml` under `intentional-drift:` in .github/template.yaml +# so the template sync stops managing the file. Example: +# - package-ecosystem: docker +# directory: / +# schedule: { interval: weekly, day: monday } +# open-pull-requests-limit: 3 +# groups: { docker: { patterns: ['*'] } } +# cooldown: { default-days: 7 } version: 2 updates: - package-ecosystem: gomod @@ -23,15 +40,3 @@ updates: patterns: ['*'] cooldown: default-days: 7 - - - package-ecosystem: docker - directory: / - schedule: - interval: weekly - day: monday - open-pull-requests-limit: 3 - groups: - docker: - patterns: ['*'] - cooldown: - default-days: 7 From 7eae2c1496f4a481db724f1db80c09c782155a16 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Wed, 3 Jun 2026 11:53:53 +0200 Subject: [PATCH 2/2] ci(dependabot): use block style for commented opt-in examples Multi-line block style is easier for consumers to uncomment and edit than inline flow style. Comments only; no change to active config. Signed-off-by: Sebastian Mendel --- templates/go-app/.github/dependabot.yml | 22 ++++++++++++++++------ templates/go-lib/.github/dependabot.yml | 11 ++++++++--- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/templates/go-app/.github/dependabot.yml b/templates/go-app/.github/dependabot.yml index 461f857..f1dc4cc 100644 --- a/templates/go-app/.github/dependabot.yml +++ b/templates/go-app/.github/dependabot.yml @@ -12,17 +12,27 @@ # Opt-in npm: # - package-ecosystem: npm # directory: / -# schedule: { interval: weekly, day: monday } +# schedule: +# interval: weekly +# day: monday # open-pull-requests-limit: 5 -# groups: { npm: { patterns: ['*'] } } -# cooldown: { default-days: 7 } +# groups: +# npm: +# patterns: ['*'] +# cooldown: +# default-days: 7 # Opt-in devcontainers: # - package-ecosystem: devcontainers # directory: / -# schedule: { interval: weekly, day: monday } +# schedule: +# interval: weekly +# day: monday # open-pull-requests-limit: 2 -# groups: { devcontainers: { patterns: ['*'] } } -# cooldown: { default-days: 7 } +# groups: +# devcontainers: +# patterns: ['*'] +# cooldown: +# default-days: 7 version: 2 updates: - package-ecosystem: gomod diff --git a/templates/go-lib/.github/dependabot.yml b/templates/go-lib/.github/dependabot.yml index e8badea..36113e8 100644 --- a/templates/go-lib/.github/dependabot.yml +++ b/templates/go-lib/.github/dependabot.yml @@ -11,10 +11,15 @@ # so the template sync stops managing the file. Example: # - package-ecosystem: docker # directory: / -# schedule: { interval: weekly, day: monday } +# schedule: +# interval: weekly +# day: monday # open-pull-requests-limit: 3 -# groups: { docker: { patterns: ['*'] } } -# cooldown: { default-days: 7 } +# groups: +# docker: +# patterns: ['*'] +# cooldown: +# default-days: 7 version: 2 updates: - package-ecosystem: gomod