From 4ac5226ed45dba8a5faacb83f2020b01924af7b9 Mon Sep 17 00:00:00 2001
From: "Aaron K. Clark" <akclark@thenetwerk.net>
Date: Mon, 18 May 2026 01:06:19 -0500
Subject: [PATCH] ci(dependabot): weekly automated dependency updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds .github/dependabot.yml so GitHub auto-files PRs against three
ecosystems on a weekly cadence (Monday 06:00 America/Chicago):

- **npm**: production + dev dependencies. Minor + patch versions
  are grouped into one combined PR per week; majors get their own
  PR (each can have a breaking change worth its own review).
- **github-actions**: workflow action versions in .github/workflows/.
- **docker**: base images in Dockerfile + docker-compose.yml.

Open-PR cap of 5 on the npm tree to avoid overwhelming the queue
during a quiet maintenance window.

Pairs with the `npm run audit` CI gate (#99) — between the two we
catch dependency drift early (weekly PR) AND block PRs that drift
into a known high/critical advisory. Codeberg doesn't have a
direct dependabot equivalent; operators wanting automated updates
on the mirror can run renovate-bot or similar against that side.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/dependabot.yml | 64 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..352f077
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,64 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2026 Aaron K. Clark
+#
+# Dependabot configuration. Automates dependency updates so the
+# `npm audit` CI gate doesn't surprise us at release time.
+#
+# Two ecosystems get watched:
+#   1. npm — the production + dev tree in package.json.
+#   2. github-actions — workflow action versions in .github/workflows/.
+#   3. docker — base images in Dockerfile / docker-compose.yml.
+#
+# Update cadence is weekly. Patch + minor groups land as one combined
+# PR per ecosystem; major versions get their own PR for review.
+
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: "America/Chicago"
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+    groups:
+      # Bundle non-major bumps into a single PR per week so the queue
+      # doesn't fragment. Majors stay separate (each can have a
+      # breaking change worth reviewing on its own).
+      minor-and-patch:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: "America/Chicago"
+    labels:
+      - dependencies
+      - ci
+    commit-message:
+      prefix: "chore(actions)"
+
+  - package-ecosystem: docker
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: "America/Chicago"
+    labels:
+      - dependencies
+      - docker
+    commit-message:
+      prefix: "chore(docker)"