ci(dependabot): self-manage config, opt-in devcontainers ecosystem#606
Conversation
The go-app template was trimmed to gomod/github-actions/docker (netresearch/.github#166) because not all consumers have npm/devcontainers manifests. This repo does, so it keeps the devcontainers block and marks .github/dependabot.yml as intentional-drift to self-manage it. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the repository's configuration to self-manage the Dependabot settings, marking .github/dependabot.yml as an intentional drift in .github/template.yaml. Specifically, it adds explanatory comments regarding this drift, removes the npm package ecosystem from Dependabot updates, and retains the devcontainers ecosystem. There are no review comments, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Automated approval for maintainer PR
All automated quality gates passed. See SECURITY_CONTROLS.md for compensating controls.
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s template-drift configuration so it can self-manage its Dependabot configuration: keeping the core ecosystems aligned with the shared go-app template while opting into devcontainers updates because this repo includes a .devcontainer/.
Changes:
- Adds
.github/dependabot.ymlto.github/template.yamlintentional-driftso template sync doesn’t overwrite it. - Updates
.github/dependabot.ymlto remove thenpmecosystem (nopackage.jsonpresent) and retaindevcontainersalongside the core ecosystems.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/template.yaml |
Marks .github/dependabot.yml as intentional drift so the repo can manage Dependabot config independently. |
.github/dependabot.yml |
Drops npm updates (no manifest) and keeps devcontainers updates enabled in addition to core ecosystems. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #606 +/- ##
=======================================
Coverage 69.94% 69.94%
=======================================
Files 34 34
Lines 3437 3437
=======================================
Hits 2404 2404
Misses 873 873
Partials 160 160
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Follow-up to netresearch/.github#166, which trimmed the
go-apptemplate's dependabot.yml to the universally-present ecosystems (gomod, github-actions, docker). This repo has a .devcontainer, so it keeps thedevcontainersecosystem by self-managing.github/dependabot.ymland listing it underintentional-drift:in.github/template.yaml.Also drops the ecosystem this repo has no manifest for (was failing Dependabot with
dependency_file_not_found). Core blocks (gomod/github-actions/docker) stay in step with the template manually.Test plan
event=dynamicDependabot runs go green (nodependency_file_not_found).