Introduce dependabot (#134)

sercancicek · web-flow · commit 83eee3f3875e · 2025-10-17T09:55:03.000+02:00
This PR enables `Dependabot`.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 25
+    commit-message:
+      prefix: "deps"
+    versioning-strategy: increase
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,8 +9,16 @@ on:
     branches:
       - master
 
+  workflow_run: # chain from the uv-lock workflow
+    workflows: ["uv.lock on Dependabot PRs"]
+    types: [completed]
+
 jobs:
   build:
+    # Only run if not a Dependabot PR, or once uv-lock has completed successfully
+    if: |
+      github.event_name == 'workflow_run' ||
+      github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     strategy:
       matrix:
diff --git a/.github/workflows/dependabot-uv-lock.yml b/.github/workflows/dependabot-uv-lock.yml
@@ -0,0 +1,39 @@
+name: uv.lock on Dependabot PRs
+# 📝 Description:
+# Using Dependabot with "pip" to avoid uv’s specifier normalization (~= → >=,<).
+# Consequence: pip updates only pyproject.toml, not uv.lock → `uv sync --locked` would fail.
+# Fix: on Dependabot PRs that touch pyproject.toml, run `uv lock`, commit uv.lock if changed,
+# then dispatch ci.yml so CI runs against the refreshed lockfile.
+
+on:
+  pull_request:
+    paths: ["pyproject.toml"]
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  uv-lock:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+      - name: Update lockfile
+        run: uv lock
+      - name: Commit updated uv.lock
+        run: |
+          if ! git diff --quiet -- uv.lock; then
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add uv.lock
+            git commit -m "chore: refresh uv.lock"
+            git push
+          fi
