🤖 This is an automated PR from Repo Assist.
Adds a .github/dependabot.yml configuration to keep dependencies and CI action versions current automatically.
What changed
New file: .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "weekly"
day: "monday"Why
The repository has no automated dependency update mechanism. This means:
- GitHub Actions pins like
actions/checkout@v4, actions/setup-dotnet@v4, gittools/actions/gitversion/setup@v4, microsoft/setup-msbuild@v2, softprops/action-gh-release@v2, and azure/trusted-signing-action@v1 could silently drift
- NuGet packages —
NSec.Cryptography, coverlet.collector, Microsoft.NET.Test.Sdk, xunit etc. — accumulate security patches unnoticed
With Dependabot enabled, weekly PRs will appear for any available updates. Both ecosystems run on Monday so PRs batch together and are easy to review in a single session.
Trade-offs
- Adds a small ongoing PR review cost (typically 1–3 PRs/week)
github-actions and nuget ecosystems are both low-risk for this project (no complex dependency graphs)- Dependabot PRs can be closed/ignored individually if an update is not desired
Test Status
No code changes — no build or test step required. CI will validate on merge.
Generated by 🌈 Repo Assist, see workflow run. Learn more.
To route changes like this to a review issue instead of blocking, configure protected-files: fallback-to-issue in your workflow configuration.
Generated by 🌈 Repo Assist, see workflow run. Learn more.
To install this agentic workflow, run
gh aw add githubnext/agentics/workflows/repo-assist.md@97143ac59cb3a13ef2a77581f929f06719c7402a
🤖 This is an automated PR from Repo Assist.
Adds a
.github/dependabot.ymlconfiguration to keep dependencies and CI action versions current automatically.What changed
New file:
.github/dependabot.ymlWhy
The repository has no automated dependency update mechanism. This means:
actions/checkout@v4,actions/setup-dotnet@v4,gittools/actions/gitversion/setup@v4,microsoft/setup-msbuild@v2,softprops/action-gh-release@v2, andazure/trusted-signing-action@v1could silently driftNSec.Cryptography,coverlet.collector,Microsoft.NET.Test.Sdk,xunitetc. — accumulate security patches unnoticedWith Dependabot enabled, weekly PRs will appear for any available updates. Both ecosystems run on Monday so PRs batch together and are easy to review in a single session.
Trade-offs
github-actionsandnugetecosystems are both low-risk for this project (no complex dependency graphs)Test Status
No code changes — no build or test step required. CI will validate on merge.
Warning
Protected Files
This was originally intended as a pull request, but the patch modifies protected files. These files may affect project dependencies, CI/CD pipelines, or agent behaviour. Please review the changes carefully before creating the pull request.
Click here to create the pull request once you have reviewed the changes
Protected files
To route changes like this to a review issue instead of blocking, configure
protected-files: fallback-to-issuein your workflow configuration.