Add Dependabot configuration for pip and GitHub Actions

[Copilot]

No automated dependency tracking existed for this repo, leaving both PyPI packages and pinned Actions versions exposed to accumulating security drift.

Changes

• .github/dependabot.yml — new file with two update configs:
  • pip ecosystem: scans / (picks up pyproject.toml) on a weekly schedule targeting main
  • github-actions ecosystem: scans / (picks up .github/workflows/*.yml) on a weekly schedule targeting main

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"
    target-branch: "main"
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    target-branch: "main"

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add Dependabot configuration for dependency and Actions security</issue_title>
<issue_description>## Category
code-quality | Priority: P2 | Effort: S (< 1 day)

Context

No dependency scanning or automated update mechanism exists in this repository. While the current dependency footprint is small (only pydantic>=2.0 at runtime), both pip dependencies and GitHub Actions versions should be kept up-to-date automatically to prevent security vulnerabilities from accumulating.

Evidence:

• No .github/dependabot.yml exists
• pyproject.toml declares pydantic>=2.0 (runtime) and pytest>=7.0 (dev)
• .github/workflows/ci.yml and .github/workflows/publish.yml use pinned Actions (actions/checkout@v4, actions/setup-python@v5, etc.)

What to do

Create .github/dependabot.yml with two ecosystems:

1. pip ecosystem

• Monitor pyproject.toml for dependency updates
• Weekly schedule
• Target branch: main

2. github-actions ecosystem

• Monitor .github/workflows/ for Action version updates
• Weekly schedule
• Target branch: main

Implementation steps

1. Create .github/dependabot.yml with the following structure:

   version: 2
   updates:
     - package-ecosystem: "pip"
       directory: "/"
       schedule:
         interval: "weekly"
     - package-ecosystem: "github-actions"
       directory: "/"
       schedule:
         interval: "weekly"

2. Verify the file is valid YAML and follows Dependabot config schema

Definition of Done

• .github/dependabot.yml exists with pip and github-actions ecosystems
• Weekly update schedule configured for both
• File passes YAML validation

Dependencies

None — this is a standalone configuration change.

Execution order

Issue 1 of 7 — quickest win, config-only, no code changes.

---

Related issues: Part of the P4 initiative to improve both AI-agent readiness and SWE best practices.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add Dependabot configuration for dependency and Actions security #37

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Adds Dependabot configuration so the repository automatically tracks and updates Python (pip/pyproject) dependencies and pinned GitHub Actions versions on a weekly cadence, reducing security and maintenance drift.

Changes:

• Added .github/dependabot.yml with weekly update checks for the pip ecosystem (root pyproject.toml).
• Added .github/dependabot.yml with weekly update checks for the github-actions ecosystem (workflows under .github/workflows/).
• Targets Dependabot PRs to the main branch.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.