deps: enhance Dependabot config for monorepo coverage and security

- Add npm monitoring for apps/api, apps/web, and libs/mcp-servers directories alongside root workspace - Reduce open-pull-requests-limit from 10 to 5 per ecosystem - Add dependency groups for Next.js and React packages - Remove stale pip and docker entries for non-existent libs/ai-services - Add documentation header explaining security update strategy - Security updates rely on GitHub's built-in Dependabot Security Updates feature (daily automatic PRs for advisories) Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-10 21:13:09 +07:00
parent 9cfea31905
commit 9b786c1c95
1 changed files with 90 additions and 26 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,7 +1,20 @@
 version: 2
 # ─────────────────────────────────────────────────────────────────────
 # Dependabot configuration for GoodGo Platform monorepo
 #
 # Version updates: weekly (Monday 06:00 ICT)
 # Security updates: enabled repo-wide via GitHub Dependabot Security
 #   Updates (Settings → Code security → Dependabot security updates).
 #   Security PRs are created automatically within hours of advisory
 #   publication — no schedule entry needed here.
 #
 # PR limit: 5 per ecosystem/directory to keep review load manageable.
 # Grouping: minor + patch bundled together to reduce PR noise.
 # ─────────────────────────────────────────────────────────────────────
 updates:
-  # ── Node.js / pnpm dependencies ──────────────────────────────────
+  # ── npm: Root workspace (pnpm lockfile covers all packages) ────────
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
@@ -9,13 +22,11 @@ updates:
      day: "monday"
      time: "06:00"
      timezone: "Asia/Ho_Chi_Minh"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 5
    reviewers:
      - "goodgo/platform-team"
    labels:
      - "dependencies"
      - "security"
    # Group minor/patch updates to reduce PR noise
    groups:
      dev-dependencies:
        patterns:
@@ -45,14 +56,28 @@ updates:
        update-types:
          - "minor"
          - "patch"
-    # Security updates always get individual PRs (not grouped)
+      nextjs:
        patterns:
          - "next"
          - "next-*"
        update-types:
          - "minor"
          - "patch"
      react:
        patterns:
          - "react"
          - "react-dom"
          - "@types/react*"
        update-types:
          - "minor"
          - "patch"
    commit-message:
      prefix: "deps"
      include: "scope"
-  # ── Python dependencies (AI services) ────────────────────────────
+  # ── npm: apps/api ──────────────────────────────────────────────────
-  - package-ecosystem: "pip"
+  - package-ecosystem: "npm"
-    directory: "/libs/ai-services"
+    directory: "/apps/api"
    schedule:
      interval: "weekly"
      day: "monday"
@@ -61,10 +86,62 @@ updates:
    open-pull-requests-limit: 5
    labels:
      - "dependencies"
-      - "security"
+      - "api"
-      - "ai-services"
+    groups:
      api-minor-patch:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
    commit-message:
-      prefix: "deps(ai)"
+      prefix: "deps(api)"
      include: "scope"
  # ── npm: apps/web ──────────────────────────────────────────────────
  - package-ecosystem: "npm"
    directory: "/apps/web"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "06:00"
      timezone: "Asia/Ho_Chi_Minh"
    open-pull-requests-limit: 5
    labels:
      - "dependencies"
      - "web"
    groups:
      web-minor-patch:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
    commit-message:
      prefix: "deps(web)"
      include: "scope"
  # ── npm: libs/mcp-servers ──────────────────────────────────────────
  - package-ecosystem: "npm"
    directory: "/libs/mcp-servers"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "06:00"
      timezone: "Asia/Ho_Chi_Minh"
    open-pull-requests-limit: 5
    labels:
      - "dependencies"
      - "mcp"
    groups:
      mcp-minor-patch:
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"
    commit-message:
      prefix: "deps(mcp)"
      include: "scope"
  # ── GitHub Actions ───────────────────────────────────────────────
@@ -90,7 +167,7 @@ updates:
      prefix: "ci"
      include: "scope"
-  # ── Docker base images ──────────────────────────────────────────
+  # ── Docker: apps/api ────────────────────────────────────────────
  - package-ecosystem: "docker"
    directory: "/apps/api"
    schedule:
@@ -105,6 +182,7 @@ updates:
    commit-message:
      prefix: "docker(api)"
  # ── Docker: apps/web ────────────────────────────────────────────
  - package-ecosystem: "docker"
    directory: "/apps/web"
    schedule:
@@ -118,17 +196,3 @@ updates:
      - "docker"
    commit-message:
      prefix: "docker(web)"
  - package-ecosystem: "docker"
    directory: "/libs/ai-services"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "06:00"
      timezone: "Asia/Ho_Chi_Minh"
    open-pull-requests-limit: 3
    labels:
      - "dependencies"
      - "docker"
    commit-message:
      prefix: "docker(ai)"