From 937dbd042284e90333423441f5a41dbebb6b68f0 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sat, 2 May 2026 10:27:50 +0200 Subject: [PATCH 1/3] chore: enable Dependabot for actions + Renovate for everything else Mirrors the composer-agent-skill-plugin sibling: Dependabot batches github-actions bumps weekly; Renovate handles npm/devDeps with config:recommended. SECURITY.md and CODEOWNERS continue to come from the netresearch/.github org-default repo. Signed-off-by: Sebastian Mendel --- .github/dependabot.yml | 10 ++++++++++ renovate.json | 6 ++++++ 2 files changed, 16 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 renovate.json diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..6c5049e --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + github-actions: + patterns: + - "*" diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..5db72dd --- /dev/null +++ b/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended" + ] +} From 6e842c835813dfa799521cbc3ee3ea046d3e8ebd Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sat, 2 May 2026 10:30:00 +0200 Subject: [PATCH 2/3] fix(pkg): drop 'ai-agent-skill' keyword from coordinator's own keywords The coordinator scans every installed package for either an aiAgentSkill field or the 'ai-agent-skill' keyword (the convention-based opt-in for packages that just drop a SKILL.md at the root). Carrying that same keyword on the coordinator's own package.json caused the scanner to treat the coordinator as a skill package, look for SKILL.md, fail to find one, and emit a warning on every install: warning: [@netresearch/agent-skill-coordinator] SKILL.md not found at 'SKILL.md'. Expected SKILL.md in package root (convention). The keyword is reserved for packages that actually contain a skill. Other keywords (ai-agent, agent-skill, skill-coordinator, anthropic, claude-code, agents-md) still cover npm-search discoverability for this package. Signed-off-by: Sebastian Mendel --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 6b237f3..69c56d2 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,6 @@ "keywords": [ "ai-agent", "agent-skill", - "ai-agent-skill", "skill-coordinator", "anthropic", "claude-code", From 542d98c086d657b59c87f6b3a54298eab62f9c7e Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sat, 2 May 2026 10:31:09 +0200 Subject: [PATCH 3/3] fix(renovate): disable github-actions manager so Dependabot owns it alone MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both Copilot and Gemini caught the same issue on the original PR: config:recommended enables Renovate's github-actions manager, so Dependabot and Renovate would fight over the same workflow files. Disabling github-actions in Renovate makes the split match the PR's stated intent — Dependabot for actions, Renovate for the rest. Signed-off-by: Sebastian Mendel --- renovate.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 5db72dd..faeb991 100644 --- a/renovate.json +++ b/renovate.json @@ -2,5 +2,8 @@ "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ "config:recommended" - ] + ], + "github-actions": { + "enabled": false + } }