From 8a6a13669c52f58987844b5ce2fbec2d1feb9e5e Mon Sep 17 00:00:00 2001 From: Jaison Paul Date: Wed, 29 Apr 2026 14:28:03 -0400 Subject: [PATCH 1/2] fix(deps): consolidate dependabot uv ecosystem to single workspace root The previous configuration listed every uv workspace member as its own `directories:` entry. Dependabot would then open separate PRs for each member's pyproject.toml without refreshing the root python/uv.lock, causing CI to fail later when Docker runs `uv sync --locked`. In a uv workspace, only the workspace root owns the lockfile; members have a pyproject.toml only. Dependabot's native uv ecosystem already discovers members through the root pyproject.toml's [tool.uv.workspace] section, so a single `directory: /python` entry covers all members and updates the root lockfile in the same PR. Also adopt orthogonal Dependabot improvements: - Group OpenTelemetry and Google AI dependency families so lockstep Python updates land in a single PR instead of fragmenting. - Add `applies-to: version-updates` to the python groups so security updates remain ungrouped. - Ignore semver-major /ui npm updates so known-breaking major frontend bumps stop opening standalone PRs; minor/patch still flow. Signed-off-by: Jaison Paul --- .github/dependabot.yml | 43 +++++++++++++++++++++++++++++++----------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c04c0ef94..f9734858a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -48,18 +48,15 @@ updates: - "minor" - "patch" - # Python (uv) — workspace root and all packages + # Python (uv) — single workspace root. + # Dependabot's native `uv` ecosystem detects workspace members through + # python/pyproject.toml's [tool.uv.workspace] section and updates the + # root python/uv.lock alongside any member's pyproject.toml in the + # same PR. Listing each member as its own directory caused Dependabot + # to open per-member PRs that did not refresh the root lockfile, + # which then failed `uv sync --locked` in CI. - package-ecosystem: "uv" - directories: - - "/python" - - "/python/packages/kagent-adk" - - "/python/packages/kagent-core" - - "/python/packages/kagent-skills" - - "/python/packages/kagent-crewai" - - "/python/packages/kagent-langgraph" - - "/python/packages/kagent-openai" - - "/python/packages/agentsts-core" - - "/python/packages/agentsts-adk" + directory: "/python" schedule: interval: "weekly" day: "monday" @@ -73,7 +70,24 @@ updates: - "peterj" - "yuval-k" groups: + python-opentelemetry: + applies-to: version-updates + patterns: + - "opentelemetry-*" + update-types: + - "minor" + - "patch" + python-google-ai: + applies-to: version-updates + patterns: + - "google-adk" + - "google-genai" + - "google-auth" + update-types: + - "minor" + - "patch" python-minor-patch: + applies-to: version-updates patterns: - "*" update-types: @@ -93,6 +107,13 @@ updates: prefix: "chore(deps):" reviewers: - "peterj" + ignore: + # Suppress major UI dependency bumps (e.g., Next.js, React) until + # the frontend is ready for those migrations. Minor/patch updates + # still flow through via the npm-minor-patch group below. + - dependency-name: "*" + update-types: + - "version-update:semver-major" groups: npm-minor-patch: patterns: From 0f8cbd21397c3beaf02773f2792c4c5cabd0ec28 Mon Sep 17 00:00:00 2001 From: Jaison Paul Date: Wed, 29 Apr 2026 15:06:39 -0400 Subject: [PATCH 2/2] chore: retrigger ci Previous run hit a transient Alpine mirror failure (`xz-5.8.3-r1: temporary error`) during `apk add` in the `golang-adk-full` build step, unrelated to this PR's diff. Signed-off-by: Jaison Paul