Skip to content

Commit 134dfb8

Browse files
turbomamclaude
andauthored
Dependabot: manage Python deps via uv ecosystem; retire broken uv-upgrade bot (closes #416) (#496)
* Dependabot: cover Python deps (uv); retire the broken uv-upgrade bot dependabot.yml only watched github-actions, so Python dependencies were unmanaged by Dependabot. The home-grown uv-upgrade.yml bot filled that gap but its PRs can never trigger CI (GITHUB_TOKEN-opened PRs don't fire workflows), so branch protection blocked them indefinitely (#416). Add the `uv` package-ecosystem to dependabot.yml (grouped into one PR) and remove uv-upgrade.yml. Dependabot-opened PRs run CI normally and it manages uv.lock natively. Closes #416. GitHub-settings security is already on (Dependabot alerts + security updates, secret scanning, push protection); this fills the version-update gap. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix dependabot.yml comment to match grouped behavior The python-deps group batches all updates into one PR; the comment incorrectly said per-dependency PRs (Copilot review). Grouping is intended (mirrors the old bulk uv-upgrade, less noise). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 1431939 commit 134dfb8

2 files changed

Lines changed: 18 additions & 35 deletions

File tree

.github/dependabot.yml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,25 @@
11
version: 2
22
updates:
3+
# GitHub Actions workflow dependencies
34
- package-ecosystem: "github-actions"
45
directory: "/"
56
schedule:
67
interval: "weekly"
78
open-pull-requests-limit: 5
9+
10+
# Python dependencies (uv / pyproject.toml + uv.lock).
11+
# Replaces the home-grown uv-upgrade.yml bot, whose PRs could never trigger
12+
# the required CI checks (GITHUB_TOKEN-opened PRs do not fire workflows), so
13+
# branch protection blocked them forever (#416). Dependabot-opened PRs do run
14+
# CI. The `python-deps` group batches all Python updates into a single weekly
15+
# PR (mirroring the old bot's bulk `uv lock --upgrade`, with less PR noise
16+
# than per-dependency PRs).
17+
- package-ecosystem: "uv"
18+
directory: "/"
19+
schedule:
20+
interval: "weekly"
21+
open-pull-requests-limit: 5
22+
groups:
23+
python-deps:
24+
patterns:
25+
- "*"

.github/workflows/uv-upgrade.yml

Lines changed: 0 additions & 35 deletions
This file was deleted.

0 commit comments

Comments
 (0)