Skip to content

ci: align dependabot config with harness-sdk conventions#57

Open
yonib05 wants to merge 2 commits into
strands-agents:mainfrom
yonib05:dependabot-align
Open

ci: align dependabot config with harness-sdk conventions#57
yonib05 wants to merge 2 commits into
strands-agents:mainfrom
yonib05:dependabot-align

Conversation

@yonib05

@yonib05 yonib05 commented Jul 9, 2026

Copy link
Copy Markdown
Member

Description

Shell already had the cooldown scheme; this brings the rest in line with harness-sdk and fixes two silent misconfigurations:

  • Cargo grouping never worked. dependency-type grouping is not supported for the cargo ecosystem, so the development/production groups never matched and every Rust bump opened its own PR (see the recent PR list: all individual). Replaced with a pattern-based minor/patch group; majors stay individual and wait out the 30-day cooldown.
  • Pip grouping barely worked. Dependabot does not classify PEP 621 pyproject dependencies as development vs production; the group only matched literal pytest/maturin. Now dev tooling groups by pattern and everything else gets a minor/patch group.
  • Weekly schedule instead of daily: the cooldown already delays PRs by days, so daily polling adds noise without surfacing updates sooner.
  • npm section renamed to the org convention: ci(typescript) prefix and typescript label (was ci(node)/node; the node label didn't exist in this repo so it was silently dropped). Added versioning-strategy: increase-if-necessary for pip and npm to match harness-sdk; cargo doesn't support the option.
  • Actions majors are no longer grouped with minors, so a workflow-breaking major arrives as its own reviewable PR.

Also created the missing python/typescript/rust labels in the repo so Dependabot's label config resolves.

Related Issues

N/A

Documentation PR

N/A

Type of Change

Other: CI/dependency-management configuration

Testing

YAML validated with a parser; config mirrors the scheme already running in harness-sdk.

  • I ran the relevant test suites for the bindings I touched (not applicable, config-only change)
  • If I touched Rust, I ran cargo fmt and cargo clippy (not applicable)

Checklist

  • I have read the CONTRIBUTING document
  • I have reviewed and understand every line of code in this PR, including any generated by AI tools, and I can explain why it works

Move to the shared scheme: weekly schedule, pattern-based groups for
cargo and pip (dependency-type grouping is unsupported for cargo and
never matches PEP 621 pip deps, so every bump was opening its own PR),
increase-if-necessary for pip/npm, ci(typescript) prefix and typescript
label for npm to match the org convention, and ungrouped actions majors
so workflow-breaking bumps get individual review.
@yonib05 yonib05 force-pushed the dependabot-align branch from 24241c4 to 46ff161 Compare July 9, 2026 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant