dependabot: add config

[sebrandon1]

Help manage dependencies in the repo automatically on a weekly cadence.

All this does is open up PRs for review with their respective changes.

Similar to:

• Add dependabot config rh-ecosystem-edge/eco-goinfra#240
• infra: add actions dependabot rh-ecosystem-edge/eco-gotests#432
• Add dependabot config for github actions redhat-best-practices-for-k8s/certsuite#954
• Add dependabot YAML redhat-best-practices-for-k8s/certsuite-qe#144
• Add dependabot workflow redhat-openshift-ecosystem/openshift-preflight#793
• Add dependabot YAML redhat-best-practices-for-k8s/oct#4

[openshift-ci]

Hi @sebrandon1. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[sebrandon1]

/ok-to-test

[swghosh]

@sebrandon1 Does this need to add GitHub actions? Or, the dependabot can live off with actual GH Action runners too?

[coderabbitai]

Walkthrough

Adds a new Dependabot configuration file (.github/dependabot.yml) specifying weekly update checks at the repository root for gomod, github-actions, and docker ecosystems.

Changes

Cohort / File(s)	Summary of changes
Dependabot configuration .github/dependabot.yml	Added Dependabot v2 config with three update entries (gomod, github-actions, docker), each targeting / with a weekly schedule.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "dependabot: add config" directly and clearly summarizes the primary change in the changeset. The title specifically refers to adding Dependabot configuration, which matches exactly what the changeset does—it adds a .github/dependabot.yml file with configuration for dependency management. The title is concise, specific, and avoids vague or generic terminology.
Description Check	✅ Passed	The pull request description is clearly related to the changeset and provides relevant context about the purpose of the Dependabot configuration. It explains that the change enables automatic dependency management on a weekly cadence and will open PRs for review. The description includes references to similar implementations in other repositories, demonstrating the pattern being followed. This is directly related to the addition of the Dependabot config file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 83b1b7e and 942e95d.

📒 Files selected for processing (1)

• .github/dependabot.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/dependabot.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/dependabot.yml (4)

1-3: FYI: No extra GitHub Actions are required for Dependabot to run.

Dependabot runs as a GitHub service. You only need Actions if you want CI to validate its PRs.

---

8-11: Stabilize cadence and add helpful metadata for Actions updates.

Set a fixed day/time/timezone and add commit prefix/labels to streamline triage.

   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: weekly
+      interval: weekly
+      day: monday
+      time: "06:10"
+      timezone: "Etc/UTC"
+    commit-message:
+      prefix: "deps(actions):"
+    labels:
+      - dependencies
+      - area/ci
+    groups:
+      gha-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"

---

12-15: If images come from private registries, wire Dependabot registries.

Without credentials, Dependabot may not resolve Red Hat or private images. Add registries and reference them here.

   - package-ecosystem: docker
     directory: /
     schedule:
-      interval: weekly
+      interval: weekly
+      day: monday
+      time: "06:20"
+      timezone: "Etc/UTC"
+    registries:
+      - redhat
+      - quay
+    groups:
+      docker-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+registries:
+  redhat:
+    type: docker-registry
+    url: registry.access.redhat.com
+    username: "${{secrets.DEPENDABOT_RH_USER}}"
+    password: "${{secrets.DEPENDABOT_RH_TOKEN}}"
+  quay:
+    type: docker-registry
+    url: quay.io
+    username: "${{secrets.DEPENDABOT_QUAY_USER}}"
+    password: "${{secrets.DEPENDABOT_QUAY_TOKEN}}"

Please confirm whether this repo pulls from registry.access.redhat.com or private Quay orgs so we can finalize secret names.

---

4-7: Limit Dependabot gomod to direct deps; group minor/patch updates and set schedule/PR limits.

Confirmed single go.mod at repo root — apply to .github/dependabot.yml (replace snippet at lines 4–7):

   - package-ecosystem: gomod
     directory: /
     schedule:
-      interval: weekly
+      interval: weekly
+      day: monday
+      time: "06:00"
+      timezone: "Etc/UTC"
+    open-pull-requests-limit: 10
+    allow:
+      - dependency-type: direct
+    groups:
+      go-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between baafb49 and 83b1b7e.

📒 Files selected for processing (1)

• .github/dependabot.yml (1 hunks)

🔇 Additional comments (1)

.github/dependabot.yml (1)

1-15: Baseline config is valid and a good starting point.

Version, ecosystems, and root directories look correct. This will work as‑is.

[openshift-ci]

@sebrandon1: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.