chore: add Dependabot configuration

[andres-qd]

Dependabot Configuration

Adds automated dependency management via Dependabot.

Detected ecosystems

• pip
• github-actions

Configuration

• Schedule: weekly
• PR limit: 5 per ecosystem
• Grouping: security updates grouped together, minor/patch version updates grouped together, major updates ungrouped
• Target branch: main

What to expect

• Dependabot will open PRs for dependency updates based on the schedule above
• Security updates are prioritized and grouped separately
• Major version updates appear as individual PRs (may have breaking changes)

Customize this config after merging if your repo has specific needs (e.g., custom registries, multiple directories, ignore rules).

[coderabbitai]

Worried about impact? Review this PR in Change Stack to explore blast radius before you approve or request changes.

📝 Walkthrough

Walkthrough

This PR introduces a new .github/dependabot.yml configuration file that enables Dependabot to automatically check for dependency updates on a weekly schedule. The configuration targets two package managers: pip for Python dependencies and github-actions for GitHub Actions versions, both at the repository root. It limits open pull requests to 5 per package manager and defines separate grouping rules for security updates and minor/patch version updates.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: add Dependabot configuration' accurately and concisely describes the main change—adding Dependabot configuration to the repository.
Description check	✅ Passed	The description is well-detailed and directly related to the changeset, explaining the Dependabot configuration, detected ecosystems, schedule, PR limits, grouping strategy, and expected behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-dependabot-config

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 9-12: Rename duplicate dependabot group names so they are unique
across the whole config: locate occurrences of the groups named
"security-updates" and "version-updates" (e.g., under the pip and github-actions
ecosystems) and make them ecosystem-specific (for example
"pip-security-updates", "github-actions-security-updates",
"pip-version-updates", "github-actions-version-updates") and update any
references accordingly so Dependabot v2 no longer sees duplicate group names.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cd4d6c31-d030-4378-9f23-6ba3737b01ed

📥 Commits

Reviewing files that changed from the base of the PR and between 8a8ea4f and 625f61e.

📒 Files selected for processing (1)

• .github/dependabot.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Group names must be unique across the entire configuration.

The group names security-updates and version-updates are duplicated between the pip and github-actions package ecosystems. According to Dependabot v2 requirements, group names must be unique across the entire configuration file, not just within each ecosystem. This will cause Dependabot to fail when processing the configuration.

🔧 Proposed fix: Use ecosystem-specific group names

   - package-ecosystem: "pip"
     directory: "/"
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 5
     groups:
-      security-updates:
+      pip-security-updates:
         applies-to: security-updates
         patterns:
           - "*"
-      version-updates:
+      pip-version-updates:
         applies-to: version-updates
         update-types:
           - "minor"
           - "patch"
         patterns:
           - "*"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 5
     groups:
-      security-updates:
+      actions-security-updates:
         applies-to: security-updates
         patterns:
           - "*"
-      version-updates:
+      actions-version-updates:
         applies-to: version-updates
         update-types:
           - "minor"
           - "patch"
         patterns:
           - "*"

Also applies to: 26-29, 13-19, 30-36

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 9 - 12, Rename duplicate dependabot
group names so they are unique across the whole config: locate occurrences of
the groups named "security-updates" and "version-updates" (e.g., under the pip
and github-actions ecosystems) and make them ecosystem-specific (for example
"pip-security-updates", "github-actions-security-updates",
"pip-version-updates", "github-actions-version-updates") and update any
references accordingly so Dependabot v2 no longer sees duplicate group names.