From 9b786c1c952fe7a7246a8030009e93de099b6245 Mon Sep 17 00:00:00 2001
From: Ho Ngoc Hai <hongochai10@icloud.com>
Date: Fri, 10 Apr 2026 21:13:09 +0700
Subject: [PATCH] deps: enhance Dependabot config for monorepo coverage and
 security

- Add npm monitoring for apps/api, apps/web, and libs/mcp-servers
  directories alongside root workspace
- Reduce open-pull-requests-limit from 10 to 5 per ecosystem
- Add dependency groups for Next.js and React packages
- Remove stale pip and docker entries for non-existent libs/ai-services
- Add documentation header explaining security update strategy
- Security updates rely on GitHub's built-in Dependabot Security
  Updates feature (daily automatic PRs for advisories)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/dependabot.yml | 116 ++++++++++++++++++++++++++++++++---------
 1 file changed, 90 insertions(+), 26 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index df0b572..91e8eec 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,7 +1,20 @@
 version: 2
 
+# ─────────────────────────────────────────────────────────────────────
+# Dependabot configuration for GoodGo Platform monorepo
+#
+# Version updates: weekly (Monday 06:00 ICT)
+# Security updates: enabled repo-wide via GitHub Dependabot Security
+#   Updates (Settings → Code security → Dependabot security updates).
+#   Security PRs are created automatically within hours of advisory
+#   publication — no schedule entry needed here.
+#
+# PR limit: 5 per ecosystem/directory to keep review load manageable.
+# Grouping: minor + patch bundled together to reduce PR noise.
+# ─────────────────────────────────────────────────────────────────────
+
 updates:
-  # ── Node.js / pnpm dependencies ──────────────────────────────────
+  # ── npm: Root workspace (pnpm lockfile covers all packages) ────────
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
@@ -9,13 +22,11 @@ updates:
       day: "monday"
       time: "06:00"
       timezone: "Asia/Ho_Chi_Minh"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 5
     reviewers:
       - "goodgo/platform-team"
     labels:
       - "dependencies"
-      - "security"
-    # Group minor/patch updates to reduce PR noise
     groups:
       dev-dependencies:
         patterns:
@@ -45,14 +56,28 @@ updates:
         update-types:
           - "minor"
           - "patch"
-    # Security updates always get individual PRs (not grouped)
+      nextjs:
+        patterns:
+          - "next"
+          - "next-*"
+        update-types:
+          - "minor"
+          - "patch"
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react*"
+        update-types:
+          - "minor"
+          - "patch"
     commit-message:
       prefix: "deps"
       include: "scope"
 
-  # ── Python dependencies (AI services) ────────────────────────────
-  - package-ecosystem: "pip"
-    directory: "/libs/ai-services"
+  # ── npm: apps/api ──────────────────────────────────────────────────
+  - package-ecosystem: "npm"
+    directory: "/apps/api"
     schedule:
       interval: "weekly"
       day: "monday"
@@ -61,10 +86,62 @@ updates:
     open-pull-requests-limit: 5
     labels:
       - "dependencies"
-      - "security"
-      - "ai-services"
+      - "api"
+    groups:
+      api-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
     commit-message:
-      prefix: "deps(ai)"
+      prefix: "deps(api)"
+      include: "scope"
+
+  # ── npm: apps/web ──────────────────────────────────────────────────
+  - package-ecosystem: "npm"
+    directory: "/apps/web"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Asia/Ho_Chi_Minh"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "web"
+    groups:
+      web-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    commit-message:
+      prefix: "deps(web)"
+      include: "scope"
+
+  # ── npm: libs/mcp-servers ──────────────────────────────────────────
+  - package-ecosystem: "npm"
+    directory: "/libs/mcp-servers"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Asia/Ho_Chi_Minh"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "mcp"
+    groups:
+      mcp-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+    commit-message:
+      prefix: "deps(mcp)"
       include: "scope"
 
   # ── GitHub Actions ───────────────────────────────────────────────
@@ -90,7 +167,7 @@ updates:
       prefix: "ci"
       include: "scope"
 
-  # ── Docker base images ──────────────────────────────────────────
+  # ── Docker: apps/api ────────────────────────────────────────────
   - package-ecosystem: "docker"
     directory: "/apps/api"
     schedule:
@@ -105,6 +182,7 @@ updates:
     commit-message:
       prefix: "docker(api)"
 
+  # ── Docker: apps/web ────────────────────────────────────────────
   - package-ecosystem: "docker"
     directory: "/apps/web"
     schedule:
@@ -118,17 +196,3 @@ updates:
       - "docker"
     commit-message:
       prefix: "docker(web)"
-
-  - package-ecosystem: "docker"
-    directory: "/libs/ai-services"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-      time: "06:00"
-      timezone: "Asia/Ho_Chi_Minh"
-    open-pull-requests-limit: 3
-    labels:
-      - "dependencies"
-      - "docker"
-    commit-message:
-      prefix: "docker(ai)"