fix(deps): consolidate dependabot uv ecosystem to single workspace root#1777
Closed
jsonmp-k8 wants to merge 1 commit intokagent-dev:mainfrom
Closed
fix(deps): consolidate dependabot uv ecosystem to single workspace root#1777jsonmp-k8 wants to merge 1 commit intokagent-dev:mainfrom
jsonmp-k8 wants to merge 1 commit intokagent-dev:mainfrom
Conversation
The previous configuration listed every uv workspace member as its own `directories:` entry. Dependabot would then open separate PRs for each member's pyproject.toml without refreshing the root python/uv.lock, causing CI to fail later when Docker runs `uv sync --locked`. In a uv workspace, only the workspace root owns the lockfile; members have a pyproject.toml only. Dependabot's native uv ecosystem already discovers members through the root pyproject.toml's [tool.uv.workspace] section, so a single `directory: /python` entry covers all members and updates the root lockfile in the same PR. Also adopt the orthogonal Dependabot improvements that were bundled into the prior approach: - Group OpenTelemetry and Google AI dependency families so lockstep Python updates land in a single PR instead of fragmenting across many. - Add `applies-to: version-updates` to the python groups so security updates remain ungrouped. - Ignore semver-major /ui npm updates so known-breaking major frontend bumps stop opening standalone PRs; minor/patch still flow. Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s Dependabot configuration to better align with how uv workspaces manage lockfiles, ensuring Dependabot refreshes python/uv.lock alongside member pyproject.toml updates, while also improving dependency grouping/ignores.
Changes:
- Switch
uvDependabot config to a single workspace-rootdirectory: /pythonso workspace-member updates also update the rootpython/uv.lock. - Add Dependabot groups for OpenTelemetry and Google AI Python dependencies, and scope Python grouping to version updates only (
applies-to: version-updates). - Ignore semver-major npm updates for
/uito suppress known-breaking major frontend upgrade PRs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
directories:list underpackage-ecosystem: uvwith a single/pythonentry so Dependabot uses the root[tool.uv.workspace]to discover members and refreshespython/uv.lockin the same PRapplies-to: version-updatesto the Python groups so security updates remain ungrouped/uinpm bumps so known-breaking major frontend upgrades stop opening standalone PRsWhy
Currently Dependabot opens separate PRs for each workspace member's
pyproject.tomlwithout refreshing the rootpython/uv.lock. Those PRs then fail CI when Docker runsuv sync --locked.In a
uvworkspace the lockfile lives only at the workspace root; members have only apyproject.toml. Dependabot's nativeuvecosystem already discovers workspace members through the root[tool.uv.workspace]section, so a singledirectory: /pythonentry covers every member and updates the root lockfile alongside any member manifest in the same PR — no separate workflow or write-back step needed.This replaces #1756, which did the same job via a
pull_request_targetworkflow that ranuv lockand pushed back to Dependabot's branch. The reviewer flagged that handoff as undesirable; this approach removes it entirely while keeping the orthogonal grouping and ignore improvements that PR introduced.Verification
ruby -e 'require "yaml"; YAML.load_file(".github/dependabot.yml")'(parses cleanly)python/pyproject.toml(or a member's) andpython/uv.lockupdated together.cc @EItanya