chore: Added depend-a-bot configs (#90)

christian-kreuzberger-dtx · web-flow · commit 2d1722e38f37 · 2025-08-13T14:10:01.000+02:00
diff --git a/.github/DEPENDABOT.md b/.github/DEPENDABOT.md
@@ -0,0 +1,60 @@
+# Dependabot Configuration
+
+This repository uses [Dependabot](https://docs.github.com/en/code-security/dependabot) to automatically manage dependency updates.
+
+## What's Configured
+
+### 1. **npm Dependencies** (`/.github/dependabot.yml`)
+
+- **Schedule**: Weekly on Mondays at 06:00 UTC
+- **Grouping**:
+  - `@dynatrace-sdk/*` packages are grouped together
+  - Development dependencies are grouped separately
+  - Major updates are grouped separately for careful review
+- **Limits**: Maximum 10 open PRs at once
+- **Auto-ignore**: Major version updates for `@modelcontextprotocol/sdk` and `dt-app` to prevent breaking changes
+
+### 2. **GitHub Actions** (`/.github/dependabot.yml`)
+
+- **Schedule**: Weekly on Mondays at 06:00 UTC
+- **Limits**: Maximum 5 open PRs at once
+- Updates GitHub Actions in workflows to latest versions
+
+### 3. **Docker Dependencies** (`/.github/dependabot.yml`)
+
+- **Schedule**: Weekly on Mondays at 06:00 UTC
+- **Limits**: Maximum 3 open PRs at once
+- Updates base images in Dockerfile
+
+## Manual Review Process
+
+All dependency updates require manual review and approval:
+
+- **All Updates**: Maintainers review and approve all dependency updates
+- **CI Testing**: All PRs go through the standard CI pipeline (build, test, prettier)
+- **Grouped PRs**: Related dependencies are updated together for easier review
+- **Clear Labeling**: PRs are properly categorized and assigned to maintainers
+
+## How It Works
+
+1. **Weekly Check**: Every Monday, Dependabot checks for outdated dependencies
+2. **PR Creation**: Creates PRs for available updates (grouped by category)
+3. **Assignment**: PRs are automatically assigned to `dynatrace-oss/dynatrace-mcp-maintainers`
+4. **CI Testing**: All PRs go through the standard CI pipeline (build, test, prettier)
+5. **Manual Review**: Maintainers review and manually merge approved PRs
+6. **Full Control**: No automatic merging ensures careful review of all changes
+
+## Customization
+
+To modify Dependabot behavior:
+
+- Edit `.github/dependabot.yml` for dependency monitoring configuration
+- Adjust grouping, scheduling, or ignore rules as needed
+
+## Benefits
+
+- **Security**: Automatic detection of security updates
+- **Visibility**: Clear overview of available dependency updates
+- **Organization**: Related dependencies are grouped together
+- **Control**: Full manual control over what gets merged and when
+- **CI Integration**: All updates are tested before review
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,85 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: 'npm'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+      day: 'monday'
+      time: '06:00'
+      timezone: 'UTC'
+    open-pull-requests-limit: 10
+    reviewers:
+      - 'dynatrace-oss/dynatrace-mcp-maintainers'
+    assignees:
+      - 'dynatrace-oss/dynatrace-mcp-maintainers'
+    commit-message:
+      prefix: 'deps'
+      prefix-development: 'deps-dev'
+      include: 'scope'
+    labels:
+      - 'dependencies'
+      - 'automated'
+    # Group updates for better management
+    groups:
+      dynatrace-sdk:
+        patterns:
+          - '@dynatrace-sdk/*'
+        update-types:
+          - 'minor'
+          - 'patch'
+      dev-dependencies:
+        dependency-type: 'development'
+        update-types:
+          - 'minor'
+          - 'patch'
+      major-updates:
+        update-types:
+          - 'major'
+    # Ignore specific packages if needed
+    ignore:
+      # Ignore major version updates for core dependencies to avoid breaking changes
+      - dependency-name: '@modelcontextprotocol/sdk'
+        update-types: ['version-update:semver-major']
+      - dependency-name: 'dt-app'
+        update-types: ['version-update:semver-major']
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+      day: 'monday'
+      time: '06:00'
+      timezone: 'UTC'
+    open-pull-requests-limit: 5
+    reviewers:
+      - 'dynatrace-oss/dynatrace-mcp-maintainers'
+    assignees:
+      - 'dynatrace-oss/dynatrace-mcp-maintainers'
+    commit-message:
+      prefix: 'ci'
+      include: 'scope'
+    labels:
+      - 'github-actions'
+      - 'automated'
+
+  # Enable version updates for Docker
+  - package-ecosystem: 'docker'
+    directory: '/'
+    schedule:
+      interval: 'weekly'
+      day: 'monday'
+      time: '06:00'
+      timezone: 'UTC'
+    open-pull-requests-limit: 3
+    reviewers:
+      - 'dynatrace-oss/dynatrace-mcp-maintainers'
+    assignees:
+      - 'dynatrace-oss/dynatrace-mcp-maintainers'
+    commit-message:
+      prefix: 'docker'
+      include: 'scope'
+    labels:
+      - 'docker'
+      - 'automated'
