Skip to content

Add Dependabot Configuration for Automated Dependency Updates #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
tarun-etikala wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add Dependabot Configuration for Automated Dependency Updates #23

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
version: 2
updates:
# GitHub Actions dependencies
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "github-actions"

# Python dependencies - examples folder
- package-ecosystem: "pip"
directory: "/examples"
schedule:
interval: "weekly"
labels:
- "dependencies"
- "python"
Comment on lines +13 to +19
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
from pathlib import Path

root = Path("examples")
patterns = [
    "requirements*.txt",
    "requirements*.in",
    "pyproject.toml",
    "setup.py",
    "setup.cfg",
    "Pipfile",
]

files = sorted({
    p for pattern in patterns
    for p in root.rglob(pattern)
    if p.is_file()
})

print("All Python manifests under examples/:")
for p in files:
    print(f" - {p}")

direct = [p for p in files if len(p.relative_to(root).parts) == 1]

print("\nDirectly under examples/:")
for p in direct:
    print(f" - {p}")

if files and not direct:
    print("\nRESULT: manifests are nested under subdirectories. Use one Dependabot entry per manifest directory or the `directories:` key.")
elif direct:
    print("\nRESULT: at least one manifest lives directly under /examples. This config will cover those files.")
else:
    print("\nRESULT: no supported pip manifests were found under examples/.")
PY

Repository: red-hat-data-services/red-hat-ai-examples

Length of output: 703

Update Dependabot config to cover nested Python manifests.

The directory: "/examples" entry will not discover Python manifests nested in subdirectories. Analysis found:

  • 6 pyproject.toml files under examples/knowledge-tuning/01_*, 02_*, etc.
  • 1 requirements.txt at examples/llmcompressor/
  • None directly under examples/

Dependabot's pip resolver only looks in the specified directory, not subdirectories. Either:

  1. Add a separate entry for each manifest directory (e.g., directory: "/examples/knowledge-tuning/01_Base_Model_Evaluation")
  2. Use multiple directory paths if Dependabot supports it in your config schema
  3. Consolidate manifests to examples/ root if feasible

Without this change, dependency updates for nested examples will be missed.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 13 - 19, The Dependabot pip entry uses
package-ecosystem: "pip" with a single directory: "/examples", which won't
discover Python manifests nested in subfolders; replace the single directory
entry by adding separate dependabot entries (each with package-ecosystem: "pip")
for every subdirectory that contains a Python manifest (the nested
pyproject.toml / requirements.txt locations) so Dependabot will scan them
individually, or alternatively consolidate the manifests to the specified
directory and update the existing directory value; update the dependabot.yml by
duplicating the pip block per manifest directory or by changing the directory to
the consolidated root as appropriate.