Add Dependabot configuration and workflows #3
Conversation
cvele
commented
Sep 17, 2025
- Introduced a Dependabot configuration file to automate dependency updates for Python packages and GitHub Actions, scheduled weekly.
- Added workflows for auto-merging minor and patch updates, ensuring tests pass before merging, and for enhanced security checks on Dependabot PRs.
- The security workflow includes vulnerability scanning with Safety, security linting with Bandit, and automated comments for high-risk changes, improving overall project security management.
- Introduced a Dependabot configuration file to automate dependency updates for Python packages and GitHub Actions, scheduled weekly. - Added workflows for auto-merging minor and patch updates, ensuring tests pass before merging, and for enhanced security checks on Dependabot PRs. - The security workflow includes vulnerability scanning with Safety, security linting with Bandit, and automated comments for high-risk changes, improving overall project security management.
There was a problem hiding this comment.
Pull Request Overview
This PR introduces automated dependency management and security checks for the project using Dependabot. It sets up weekly automated dependency updates for Python packages and GitHub Actions, along with security validation workflows.
Key Changes
- Added Dependabot configuration to automatically create PRs for dependency updates on a weekly schedule
- Implemented auto-merge workflow for minor and patch updates after tests pass, with manual review required for major updates
- Created security validation workflow that scans for vulnerabilities and performs security linting on Dependabot PRs
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.github/dependabot.yml |
Configures Dependabot to monitor Python and GitHub Actions dependencies with weekly updates and grouping strategies |
.github/workflows/dependabot-auto-merge.yml |
Automates merging of minor/patch updates after tests pass, with safeguards for major version changes |
.github/workflows/dependabot-security.yml |
Adds security scanning with Safety and Bandit tools, plus automated risk assessment for dependency changes |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| - name: Run bandit security linter | ||
| run: | | ||
| bandit -r imgc/ -f json -o bandit-report.json || true |
There was a problem hiding this comment.
The directory path imgc/ is hardcoded. Consider making this configurable or using a more generic approach like scanning all Python files with bandit -r . -f json -o bandit-report.json to make the workflow reusable across different project structures.
| bandit -r imgc/ -f json -o bandit-report.json || true | |
| bandit -r . -f json -o bandit-report.json || true |
Copilot uses AI. Check for mistakes.
| id: wait-for-tests | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
| checkName: "Test Build (ubuntu-latest)" # Wait for at least one platform to complete |
There was a problem hiding this comment.
The hardcoded check name 'Test Build (ubuntu-latest)' may not match the actual workflow job names in your CI. This could cause the auto-merge to fail if the test job has a different name. Consider making this configurable or using a more generic pattern.
| checkName: "Test Build (ubuntu-latest)" # Wait for at least one platform to complete | |
| checkName: "Test Build*" # Wait for any test build job to complete |
Copilot uses AI. Check for mistakes.