feat: add dependabot plugin for dependency updates

[vnz]

Summary

• Add new dependabot skill plugin for checking dependency updates using the official Dependabot CLI
• Auto-detects 16 ecosystems (npm, terraform, github-actions, go, python, rust, docker, maven, gradle, etc.)
• Supports both full scans (use dependabot) and targeted scans (use dependabot for terraform)
• Interactive PR creation with flexible strategy options

Files

File	Purpose
plugins/dependabot/.claude-plugin/plugin.json	Plugin manifest
plugins/dependabot/skills/dependabot.md	Main skill definition
plugins/dependabot/README.md	User documentation
.claude-plugin/marketplace.json	Updated to register plugin

Test plan

• Verify prek run --all-files passes
• Test skill trigger with "use dependabot"
• Test ecosystem-specific trigger with "use dependabot for npm"
• Verify prerequisite checks (dependabot CLI, gh CLI)

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello @vnz, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new dependabot skill plugin, significantly enhancing the system's capability to manage project dependencies. By integrating with the Dependabot CLI, it automates the process of identifying outdated or vulnerable dependencies across a wide range of programming languages and tools, streamlining maintenance and improving project security. The plugin offers flexible scanning and PR creation options, empowering users to efficiently keep their projects up-to-date.

Highlights

• New Dependabot Plugin: Introduces a new skill plugin that leverages the official Dependabot CLI to check for dependency updates across projects.
• Broad Ecosystem Support: Automatically detects and supports updates across 16 different ecosystems, including npm, Terraform, GitHub Actions, Go, Python, and more.
• Flexible Scanning Options: Allows users to perform full scans across all detected ecosystems or target specific ones (e.g., "use dependabot for terraform").
• Interactive PR Creation: Provides an interactive workflow for creating pull requests to apply found updates, offering strategies like "one PR per ecosystem" or a "single combined PR".

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new dependabot plugin, which is a valuable addition for automating dependency updates. The overall structure, documentation, and skill definition are well-conceived. However, I've identified a critical issue in the dependabot commands within the skill definition that will prevent the plugin from functioning as intended. The repository name is hardcoded to an invalid value, and I've provided suggestions to dynamically determine it. Additionally, there are several inconsistencies in the README.md file concerning file detection for various ecosystems and the example commands, which I've also flagged for correction to ensure accuracy and clarity for users.

[vnz]

Thanks @gemini-code-assist for the thorough review!

All feedback has been addressed in the latest commits:

Critical fixes:

• ✅ Fixed invalid repo argument / → now using dynamic detection via gh repo view
• ✅ Fixed example commands in README to use <owner/repo> placeholder

Medium fixes:

• ✅ Added missing setup.py to Python detection files
• ✅ Added missing *.dockerfile to Docker detection files
• ✅ Added missing *.fsproj to NuGet detection files

Additional fix (found during docs verification):

• ✅ Changed GITHUB_ACCESS_TOKEN to LOCAL_GITHUB_ACCESS_TOKEN per official CLI docs

[gemini-code-assist]

Thanks for the update, @vnz! I appreciate you addressing the feedback and making these important improvements. The fixes, especially the dynamic repository detection and the updated LOCAL_GITHUB_ACCESS_TOKEN usage, significantly enhance the plugin's robustness and adherence to best practices. The additions to the detection files also improve the comprehensiveness of the ecosystem scanning.

Great work on these changes! The pull request looks much stronger now.