ci(dependabot): move config to canonical path GitHub reads (closes #235)

[cagataycali]

Closes #235.

Problem

.github/workflows/dependabot.yml lives in the wrong directory. Dependabot reads only .github/dependabot.yml; anything else is silently ignored. The current file is valid YAML, parses fine, ships on main -- but Dependabot itself never sees it.

GitHub docs: the config file must live at .github/dependabot.yml.

Net effect of the misplacement (window: #92 onward)

• pip ecosystem grouping for torch / lerobot / transformers / huggingface-hub never fired. ML-stack updates surfaced only via manual sweep (fix(deps): resolve 19 dependabot security vulnerabilities #153 was the manual catch-up).
• github-actions ecosystem entry that was supposed to keep workflow SHA pins fresh after improve: enforce STRANDS_TRUST_REMOTE_CODE gate in policy factory #92 / ci: pin codeql-advanced.yml action SHAs and align CodeQL major (closes #217) #234 was inactive. Every action pin became manual maintenance.
• dev-tools group (ruff / mypy / pytest*) similarly never fired.

Diff shape

Verbatim git mv of the config; content unchanged (version 2, pip + github-actions ecosystems, weekly Monday schedule, three grouped pip patterns). Plus a 6-case pin test and a 1-line mypy override.

 .github/{workflows => }/dependabot.yml | 0
 tests/test_dependabot_config_path.py   | +155
 pyproject.toml                         | 1 line (yaml.* mypy override)
 3 files changed
 rename .github/{workflows => }/dependabot.yml (100%)

Pin test (tests/test_dependabot_config_path.py)

#	Test	What it pins
1	test_dependabot_yml_at_canonical_path	.github/dependabot.yml exists; the canonical path is a hard contract.
2	test_dependabot_yml_unique_in_tree	The canonical path is the only dependabot.y*ml in the tree (glob-based); blocks any re-creation at alternative paths.
3	test_dependabot_yml_minimum_viable_schema	Top-level is a mapping; version: 2; updates is a non-empty list; every entry declares package-ecosystem, directory, and schedule.interval.
4	test_dependabot_covers_expected_ecosystems[pip]	The pip ecosystem stays in scope (ML-stack hygiene).
5	test_dependabot_covers_expected_ecosystems[github-actions]	The github-actions ecosystem stays in scope (#92 / #234 SHA-pin freshness).
6	test_dependabot_pip_groups_pin_ml_stack	pip groups.ml-stack exists and its patterns include torch* + lerobot*. Pins the exact harm this PR cites.

Verification (pin discipline -- AGENTS.md > Review Learnings #85)

# Pre-fix state (config at workflows/dependabot.yml):
6 failed -- diagnostics name the canonical path explicitly.

# Post-fix state (config at .github/dependabot.yml):
6 passed in 1.00s.

# Lint:
ruff check + ruff format --check -- clean.

# Non-ASCII sweep (AGENTS.md > Review Learnings #86):
grep -nP '[^\x00-\x7F]' tests/test_dependabot_config_path.py -- empty.

Why a separate, single-file PR

• Pure config-placement fix. No production code touched, no behaviour change beyond "the config file is now read."
• Single-file rename + single test file. Smallest possible diff that closes ci(dependabot): config file at .github/workflows/dependabot.yml is silently ignored (canonical path is .github/dependabot.yml) #235.
• Independent of the feat(mesh): security hardening on Zenoh built-ins (mTLS + ACL + DoS bounds) #195 stack. No dependency on PR-2 / PR-6 / etc.; safe to land at any time.
• Prerequisite for ci: pin codeql-advanced.yml action SHAs and align CodeQL major (closes #217) #234's effectiveness long-term. ci: pin codeql-advanced.yml action SHAs and align CodeQL major (closes #217) #234 pins SHAs at file-edit time; Dependabot is the only mechanism that keeps those pins fresh. With this PR landed, the next weekly Monday cycle will start firing PRs against the pinned SHAs.

Acceptance criteria (from #235)

• .github/dependabot.yml exists with current content from .github/workflows/dependabot.yml
• .github/workflows/dependabot.yml removed
• Repo Settings -> Code security & analysis -> Dependabot version updates shows "Active" (verifiable post-merge by maintainer)
• At least one Dependabot PR fires on the next weekly Monday cycle (verifiable post-merge)
• Pin test added that asserts canonical placement

---

Section 13 R-round changelog

(Round budget: 3/3 reached.)

Round	Commit	Concern	Pin test
R0	1a3f702	initial submission	tests/test_dependabot_config_path.py (5 cases)
R1	94539de	schema test incomplete (missing directory + schedule.interval assertions) + docstring nit	test_dependabot_yml_minimum_viable_schema
R2	f90cb18	mypy CI failure: yaml import-untyped error (add yaml.* to mypy ignore overrides)	N/A (infra fix)
R3	12f9d4a	glob-based uniqueness check + pip groups pin + unbalanced paren fix + defence-in-depth on entry access	test_dependabot_yml_unique_in_tree, test_dependabot_pip_groups_pin_ml_stack

[yinsong1986]

Summary

Pure config-placement fix: git mv of .github/workflows/dependabot.yml to the canonical .github/dependabot.yml path, plus a 5-case pin test (tests/test_dependabot_config_path.py) that asserts canonical placement, blocks the historical wrong path, and pins minimum-viable v2 schema (version: 2, non-empty updates, every entry declares package-ecosystem). Content of the YAML is byte-identical to the old file (verified locally via diff); no behavioural change beyond Dependabot now actually reading the config.

Directly aligned with AGENTS.md > Review Learnings (#92) > Action Pinning: "Dependabot keeps these fresh via the github-actions ecosystem entry." Without this PR, that line in the conventions doc is aspirational rather than enforced. The pin test follows the "Pin regression tests for reviewed fixes" pattern (Review Learnings #85).

What's good

• Smallest possible diff that closes #235 — pure rename + pin test, no scope creep into the surrounding workflow files.
• test_dependabot_yml_not_at_historical_wrong_path blocks the regression both ways (canonical present and wrong path absent), which is the correct shape for a placement-bug fix.
• The verification trail in the PR description (pre-fix: 5 failed → post-fix: 5 passed; lint clean; non-ASCII sweep empty) follows the pin-discipline pattern from Review Learnings #85.
• Schema test catches the silent-failure modes Dependabot is notorious for (version: 1, updates: {}, update: singular, missing package-ecosystem).

Concerns

• Acceptance criteria are post-merge-only for two of four checkboxes (Settings panel showing "Active"; first weekly Monday PR firing). Worth flagging in the merge comment so the maintainer remembers to verify after squash-merge — otherwise we land this and assume it works without confirming Dependabot actually picked it up server-side.
• Schema test is narrower than "minimum-viable" — it pins package-ecosystem per entry but not directory or schedule.interval, both of which are also required by Dependabot v2 and silently disable an entry if missing. See inline on the schema test.
• Missing trailing newline on the new .github/dependabot.yml (carried over from the pre-rename file; the diff shows \ No newline at end of file). Cannot anchor an inline since the file is a pure rename with zero hunk lines, but it's a one-byte cleanup that belongs in the same PR — a future edit to open-pull-requests-limit will otherwise show a churn line for it.
• dev-tools group inactivity not in the test surface. The PR description calls out that the dev-tools group (ruff / mypy / pytest*) also never fired, but the parametrized ecosystem test only pins pip and github-actions at the ecosystem level — group-level configuration regression isn't caught. Lower priority since group-missing is a softer failure than ecosystem-missing, but worth noting.

Verification suggestions

Post-merge, the maintainer should confirm:

# 1. After the next Monday cycle, at least one Dependabot PR should have fired
gh pr list --author 'app/dependabot' --state all --limit 5

# 2. If nothing fires by the *second* Monday post-merge, check the Dependabot logs
# in Settings -> Code security & analysis -> Dependabot version updates -> "Last
# checked" — server-side schema rejection won't surface elsewhere.

If no PR fires by the second Monday post-merge, the config is being rejected server-side (most likely a schema issue Dependabot validated but the local YAML loader didn't), and the schema test in this PR didn't catch it — which is the gap the inline on directory / schedule.interval is about.

[yinsong1986]

Summary

Moves dependabot.yml from .github/workflows/ (where Dependabot ignores it) to .github/ (where Dependabot reads it), and adds a 5-case pin test that locks the canonical placement plus the v2 schema required-field set. Verbatim rename of the config; no behaviour change other than "Dependabot now sees this file."

The diagnosis in the PR description is correct and well-cited. The fix is the smallest possible diff that closes #235. R1 strengthened the schema test from package-ecosystem-only to all three Dependabot v2 required fields (package-ecosystem, directory, schedule.interval), which is exactly the right tightening — a future edit that drops schedule: from any entry now fails locally instead of silently disabling that entry server-side.

What's good

• Pin discipline is on-point: pre-fix state has all 5 tests failing with diagnostics that name the canonical path; post-fix state has all 5 passing. Maps directly to AGENTS.md > Review Learnings (#85) > "Pin regression tests for reviewed fixes."
• Scope is tight — config rename + one new test file, no production code touched, no unrelated drive-bys.
• Error messages on the assertions are diagnostic, not just assert False — a future contributor who hits these gets a pointer to the GitHub docs and the canonical path.
• ASCII-clean (verified with grep -nP '[^\x00-\x7F]'), per AGENTS.local.md / Review Learnings (#86).

Concerns

• R1 changelog claim doesn't fully match the head. The R1 commit message says it "tightens the module docstring at item 2... replaces the confusing parenthetical self-Q&A with a direct statement," but the rewrite left an unbalanced paren (see inline). The schema-test half of R1 landed correctly; the docstring half regressed.
• Regression scope is narrower than the PR's stated thesis. The PR argues "any path other than .github/dependabot.yml is silently ignored," but the negative-path test only blocks .github/workflows/dependabot.yml. Other plausible copy-paste destinations (.github/dependabot.yaml, repo-root dependabot.yml, .github/configs/dependabot.yml) would re-create the same harm and silently pass this test. See inline.
• The actual harm the PR cites is dropped groups, not dropped ecosystems. The PR description's lead bullet is pip ecosystem grouping for torch/lerobot/transformers never fired. The pin test asserts package-ecosystem: pip is present but does not assert the ml-stack / sim-stack / dev-tools groups exist or contain those packages. A future edit that drops groups: from the pip entry silently regresses exactly the harm this PR cites. See inline.
• Acceptance criteria items 3 and 4 are post-merge-only ("Active" status in repo settings + first Monday Dependabot PR fires). Worth a maintainer reminder to verify these on the next weekly cycle so #235 actually closes — pinning the file path doesn't pin GitHub's server-side parse success.

Verification suggestions

# Sanity-check that no other dependabot.* file slipped in:
find .github -iname 'dependabot*' -o -iname 'dependabot*' | head

# Run the new test locally:
hatch run pytest tests/test_dependabot_config_path.py -v

# Post-merge (maintainer): confirm Settings -> Code security & analysis ->
# Dependabot version updates is "Active" and check the Insights ->
# Dependency graph -> Dependabot tab the next Monday for the first PR cycle.