Add Dependabot Configuration for Automated Dependency Updates

[tarun-etikala]

This PR adds Dependabot configuration to automatically monitor and update dependencies in the repository. This will help keep the project secure and up-to-date by creating automated pull requests when newer versions of dependencies are available.

Changes:

• Added .github/dependabot.yml configuration file

Configured automated updates for:

1. GitHub Actions: Weekly checks for workflow action updates

2. Python packages: Weekly checks for Python dependencies in the /examples directory

GitHub Actions Updates

• Monitors all workflow files in .github/workflows/
• Weekly schedule for checking new versions
• Auto-labels PRs with dependencies and github-actions

Python Dependencies Updates

• Monitors requirements.txt and similar files in /examples
• Weekly schedule for checking new versions
• Auto-labels PRs with dependencies and python

Notes
Dependabot will start creating PRs after this configuration is merged. The Mergify configuration (already in place) will automatically approve and merge minor/patch version updates that pass all checks.

[jiridanek]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Dependabot configuration file to automate dependency updates for GitHub Actions and Python packages in the examples directory on a weekly schedule with appropriate labels.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Adds configuration for GitHub Actions and Python dependency updates with weekly schedules and respective labels ("github-actions" and "python").

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding Dependabot configuration for automated dependency updates, which matches the PR's primary objective.
Description check	✅ Passed	The description is well-related to the changeset, providing clear context about the Dependabot configuration, explaining what was added, and detailing the automated update streams for both GitHub Actions and Python dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 13-19: The Dependabot pip entry uses package-ecosystem: "pip" with
a single directory: "/examples", which won't discover Python manifests nested in
subfolders; replace the single directory entry by adding separate dependabot
entries (each with package-ecosystem: "pip") for every subdirectory that
contains a Python manifest (the nested pyproject.toml / requirements.txt
locations) so Dependabot will scan them individually, or alternatively
consolidate the manifests to the specified directory and update the existing
directory value; update the dependabot.yml by duplicating the pip block per
manifest directory or by changing the directory to the consolidated root as
appropriate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9b857cb6-b0b0-4bee-b886-2df230f87504

📥 Commits

Reviewing files that changed from the base of the PR and between d3ba4bd and 81835ea.

📒 Files selected for processing (1)

• .github/dependabot.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
from pathlib import Path

root = Path("examples")
patterns = [
    "requirements*.txt",
    "requirements*.in",
    "pyproject.toml",
    "setup.py",
    "setup.cfg",
    "Pipfile",
]

files = sorted({
    p for pattern in patterns
    for p in root.rglob(pattern)
    if p.is_file()
})

print("All Python manifests under examples/:")
for p in files:
    print(f" - {p}")

direct = [p for p in files if len(p.relative_to(root).parts) == 1]

print("\nDirectly under examples/:")
for p in direct:
    print(f" - {p}")

if files and not direct:
    print("\nRESULT: manifests are nested under subdirectories. Use one Dependabot entry per manifest directory or the `directories:` key.")
elif direct:
    print("\nRESULT: at least one manifest lives directly under /examples. This config will cover those files.")
else:
    print("\nRESULT: no supported pip manifests were found under examples/.")
PY

Repository: red-hat-data-services/red-hat-ai-examples

Length of output: 703

---

Update Dependabot config to cover nested Python manifests.

The directory: "/examples" entry will not discover Python manifests nested in subdirectories. Analysis found:

• 6 pyproject.toml files under examples/knowledge-tuning/01_*, 02_*, etc.
• 1 requirements.txt at examples/llmcompressor/
• None directly under examples/

Dependabot's pip resolver only looks in the specified directory, not subdirectories. Either:

1. Add a separate entry for each manifest directory (e.g., directory: "/examples/knowledge-tuning/01_Base_Model_Evaluation")
2. Use multiple directory paths if Dependabot supports it in your config schema
3. Consolidate manifests to examples/ root if feasible

Without this change, dependency updates for nested examples will be missed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 13 - 19, The Dependabot pip entry uses
package-ecosystem: "pip" with a single directory: "/examples", which won't
discover Python manifests nested in subfolders; replace the single directory
entry by adding separate dependabot entries (each with package-ecosystem: "pip")
for every subdirectory that contains a Python manifest (the nested
pyproject.toml / requirements.txt locations) so Dependabot will scan them
individually, or alternatively consolidate the manifests to the specified
directory and update the existing directory value; update the dependabot.yml by
duplicating the pip block per manifest directory or by changing the directory to
the consolidated root as appropriate.