chore(security): add Dependabot config#2
Conversation
Part of the org-wide repo security audit. This repo has no package.json (front-end assets are loaded via CDN), so the npm ecosystem block is intentionally commented out as a template for future use. Only github-actions is active today, which will keep any future workflow Action versions patched automatically.
There was a problem hiding this comment.
Pull request overview
Adds a Dependabot configuration as part of the org-wide security audit, enabling automated dependency update PRs for GitHub Actions while leaving a commented npm template for a potential future migration to a bundled/npm-managed frontend.
Changes:
- Add
.github/dependabot.ymlwith weekly checks for thegithub-actionsecosystem. - Configure Dependabot PR metadata (commit message prefix/scope) and include a commented-out npm configuration template for future use.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Joseph Lewkovich <brzt3x@gmail.com>
|
@copilot why does it say: |
... Because the PR is targeting the protected |
|
@copilot Yes but If I'm having you do PRs and changing the code on those PRs...why aren't you following the repo rules? Or is some setting misconfigured? |
It looks more like a limitation of the commit path than a bad repo rule. The branch rule is working as configured, but the original PR commit ( |
Part of the org-wide repo security audit.
This repo has no package.json (front-end assets are loaded via CDN), so the npm ecosystem block is intentionally commented out as a template for future use. Only github-actions is active today, which will keep any future workflow Action versions patched automatically.