Add Dependabot configuration for dependency security scanning [Generated by gurnben's Agent]

[gurnben]

Summary

Adds Dependabot configuration for automated dependency security scanning and update PRs.

Ecosystems configured

GitHub Actions, Go modules

AgentReady Score Impact

This PR is part of an organization-wide initiative to improve AI-assisted development readiness across openshift-online, measured by AgentReady (v2.31.2).

Metric	Value
Current score	51.9/100 (Bronze)
This PR	+5 points
Score after this PR	57/100 (Bronze)
All open PRs combined	+12 points → 64/100 (Silver)

Attributes addressed by this PR

• Dependency Security Scanning (+5)

Context

This matches the pattern already used by ocm-cli. Dependabot will:

• Monitor dependencies for known security vulnerabilities (CVEs)
• Create PRs to update vulnerable dependencies
• Run weekly checks for new dependency versions
• Respect the configured PR limits to prevent notification overload

Testing

• No functional code changes — configuration only

---

:robot_face: This PR was generated by an AI agent (Claude) as part of an organization-wide initiative to improve AI-assisted development readiness across openshift-online. The agent assessed all 32 public repositories using AgentReady, identified improvement opportunities, generated the changes, and opened this PR. All commits are GPG-signed by @gurnben.

[tiwillia-ai-bot]

Review Summary

Overall: CONCERNS

Severity	Count
Critical	0
Concern	2
Informational	6

Both reviewers converge on the same primary concern: the npm/frontend ecosystem is absent from the Dependabot configuration, despite OpenDispatch maintaining a Vue 3 + TypeScript frontend with its own package.json under frontend/. This leaves the frontend supply chain unscanned and partially defeats the stated goal of comprehensive dependency vulnerability coverage. Adding a third updates entry with package-ecosystem: "npm" and directory: "/frontend" would close this gap. Outside of that omission, the configuration is syntactically valid, correctly structured per the Dependabot v2 schema, and follows the pattern of peer projects like ocm-cli. The informational notes (labels, commit-message prefixes, schedule timing) are ergonomic enhancements — none are required to merge.

---

General

Verdict: CONCERNS — The configuration correctly enables Dependabot for GitHub Actions and Go modules, but omits the Vue/npm frontend ecosystem that the project explicitly maintains, leaving a gap in the stated security coverage goal.

Details

Findings

• [CONCERN] .github/dependabot.yml:1-12 — The project includes a Vue 3 + TypeScript frontend under frontend/ with npm dependencies. Only gomod and github-actions are configured; a third entry for package-ecosystem: "npm" with directory: "/frontend" is missing. The motivation for this PR is a security assessment that flagged absent vulnerability scanning — omitting npm leaves that gap open for the frontend supply chain.

• [INFO] .github/dependabot.yml:7 — open-pull-requests-limit: 5 for github-actions is conservative and reasonable. GitHub Actions dependencies tend to be low-churn, so five is unlikely to be a bottleneck.

• [INFO] .github/dependabot.yml:11 — open-pull-requests-limit: 10 for gomod is on the higher end. For an active Go project this is fine, but the team should be prepared to triage that volume. The ocm-cli precedent cited in the PR description may set a reasonable baseline here.

• [INFO] .github/dependabot.yml:5,10 — Both entries use interval: "weekly". A day: and time: qualifier (e.g., Monday morning UTC) is optional but can smooth PR load if the team prefers predictable batch days. This is purely ergonomic and requires no action.

Positive

• The addition of github-actions scanning is valuable and often overlooked — Dependabot will surface stale pinned Action SHAs automatically, which is a meaningful supply-chain hardening step.
• Structuring the file with two discrete updates entries (one per ecosystem) rather than a single catch-all is the correct Dependabot v2 pattern and will be easy to extend.

---

Tmux Backend

Skipped — change does not touch this reviewer's scope.

---

Ambient Backend

Skipped — change does not touch this reviewer's scope.

---

Quality

Verdict: CONCERNS — The Dependabot configuration is structurally correct and meaningfully improves security posture, but the npm ecosystem is absent despite the project having a Vue/npm frontend, leaving a meaningful gap in dependency coverage.

Details

Findings

• [CONCERN] .github/dependabot.yml:1-12 — The configuration covers github-actions and gomod but omits npm. The codebase includes a Vue 3 frontend (frontend/src/) with its own package.json. Without an npm ecosystem entry, frontend transitive dependencies (Vite, vue-tsc, Playwright, and any runtime libs) receive no automated vulnerability scanning. Adding a third block with package-ecosystem: "npm", directory: "/frontend", and a weekly schedule would close this gap.

• [INFO] .github/dependabot.yml:1-12 — No assignees, reviewers, or labels are configured. Adding labels: ["dependencies"] per ecosystem would make Dependabot PRs easier to filter in the GitHub PR list. Not required to merge.

• [INFO] .github/dependabot.yml:1-12 — No commit-message prefix is configured. If OpenDispatch uses conventional commits, adding commit-message: { prefix: "chore" } per ecosystem would keep the history consistent.

• [INFO] .github/dependabot.yml:11 — open-pull-requests-limit: 10 for gomod is on the generous side; if the Go module graph is large this could generate significant PR noise. Worth revisiting once the first batch of PRs lands.

Positive

• The YAML is syntactically valid and follows the Dependabot v2 schema correctly: version: 2, each entry has the required package-ecosystem, directory, and schedule.interval fields.
• Separating github-actions from gomod with distinct PR limits is the right approach — it keeps CI workflow updates distinct from library bumps and allows independent throttling.
• Choosing weekly rather than daily is a sensible default for a project of this size; it balances security freshness against PR noise.