chore: enable Dependabot for actions + Renovate for everything else#2
Merged
Conversation
Mirrors the composer-agent-skill-plugin sibling: Dependabot batches github-actions bumps weekly; Renovate handles npm/devDeps with config:recommended. SECURITY.md and CODEOWNERS continue to come from the netresearch/.github org-default repo. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces automated dependency management by adding configurations for Dependabot and Renovate. Dependabot is configured to track GitHub Actions updates, while Renovate is initialized with its recommended configuration. A review comment points out a potential conflict where both tools might attempt to manage GitHub Actions simultaneously, suggesting a configuration change to Renovate to avoid duplicate pull requests.
There was a problem hiding this comment.
Pull request overview
This PR adds automated dependency management to the repository by introducing Dependabot for GitHub Actions updates and Renovate for the rest of the dependency surface. That fits the existing Node/npm setup and the repository’s pinned GitHub Actions workflows.
Changes:
- Add
.github/dependabot.ymlto check GitHub Actions dependencies weekly and group them into a single update stream. - Add
renovate.jsonwithconfig:recommendedto enable Renovate-based dependency updates for the repository. - Align dependency automation with the approach described in the PR summary and sibling-repo precedent.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
renovate.json |
Adds base Renovate configuration for repository dependency updates. |
.github/dependabot.yml |
Adds Dependabot scheduling/grouping for GitHub Actions workflow dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The coordinator scans every installed package for either an aiAgentSkill field or the 'ai-agent-skill' keyword (the convention-based opt-in for packages that just drop a SKILL.md at the root). Carrying that same keyword on the coordinator's own package.json caused the scanner to treat the coordinator as a skill package, look for SKILL.md, fail to find one, and emit a warning on every install: warning: [@netresearch/agent-skill-coordinator] SKILL.md not found at 'SKILL.md'. Expected SKILL.md in package root (convention). The keyword is reserved for packages that actually contain a skill. Other keywords (ai-agent, agent-skill, skill-coordinator, anthropic, claude-code, agents-md) still cover npm-search discoverability for this package. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
…lone Both Copilot and Gemini caught the same issue on the original PR: config:recommended enables Renovate's github-actions manager, so Dependabot and Renovate would fight over the same workflow files. Disabling github-actions in Renovate makes the split match the PR's stated intent — Dependabot for actions, Renovate for the rest. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
Merged
CybotTM
added a commit
that referenced
this pull request
May 2, 2026
Patch release: ships the keyword-on-coordinator fix from #2 (the false 'SKILL.md not found' warning that fired against the coordinator package itself when installed alongside any real skill package), plus the dependabot/renovate setup, idempotency-probe correction, and the ruleset/workflow-perms hardening that landed since v0.1.1. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/dependabot.yml— weekly grouped github-actions updates (matches composer-agent-skill-plugin precedent).renovate.json—config:recommendedfor everything else (npm devDeps, etc.).ai-agent-skillkeyword from the coordinator's ownpackage.json. The keyword is the convention-based opt-in marker for skill packages; carrying it on the coordinator caused every install to emitSKILL.md not found at 'SKILL.md'against itself. Caught during a real-world install test against@netresearch/git-workflow-skill.SECURITY.md and CODEOWNERS continue to come from the netresearch/.github org-default repo, also matching the sibling repo.
Test plan