Dependabot: monthly grouped PR if there are Github Actions updates

[VariableVince]

Description:

To save on manual work, have Dependabot check monthly and create a grouped PR for Github Actions updates. Hat tip @deshack for the tip and grouping suggestion.

• For example we can update actions/checkout@v5 to actions/checkout@v6 already and now Dependabot will propose to do that for us. The first PR for this and other updates can be expected once this PR has been merged.

• https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot

• Added brackets round the wildcard for patterns, as a bugfix for reports such as these: Dependabot updates are not being grouped dependabot/dependabot-core#13919. Bugfix comes from: https://discord.com/channels/1359946986937258015/1483653625342464071/1489364119009366240

• (To be clear, this does NOT add creating Version updates PRs for dependencies, that is other functionality that works differently and we don't have it enabled: https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/configuring-dependabot-version-updates. It also does not touch our currently enabled Security updates.)

Please complete the following:

• I have added screenshots for all UI updates
• I process any text displayed to the user through translateText() and I've added it to the en.json file
• I have added relevant tests to the test directory
• I confirm I have thoroughly tested these changes and take full responsibility for any bugs introduced

Please put your Discord username so you can be contacted if a bug or regression is found:

tryout33

[coderabbitai]

Walkthrough

Added a Dependabot v2 configuration file at .github/dependabot.yml to schedule monthly dependency update checks for the github-actions package ecosystem at the repository root; includes grouping rules for version and security updates.

Changes

Cohort / File(s)	Summary
Dependabot configuration .github/dependabot.yml	New Dependabot v2 config added. Targets github-actions package-ecosystem at /, runs monthly, with grouping rules for version-updates and security-updates matching all packages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🤖 A watcher checks the nightly rails,
Sifts actions, sorts the update trails,
Monthly whispers, grouped with care,
Quiet fixes floating in the air. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a Dependabot configuration for monthly grouped pull requests on GitHub Actions updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description clearly describes adding Dependabot configuration for monthly GitHub Actions updates with grouped PRs, directly matching the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

4-9: Consider adding optional configuration fields for better PR management.

The basic setup works, but adding these fields can improve the experience:

• open-pull-requests-limit: Controls how many PRs Dependabot opens at once
• labels: Tags PRs for easier filtering
• commit-message: Adds consistent prefix to commit messages
• groups: Combines related updates into single PRs (reduces noise)

📝 Enhanced configuration example

 version: 2
 updates:
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(deps)"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 4 - 9, Update the Dependabot
configuration under the existing updates block (the entry with
package-ecosystem: "github-actions", directory: "/", schedule) to include
optional management fields: add open-pull-requests-limit to cap concurrent PRs,
labels to tag created PRs, a commit-message section to enforce a consistent
prefix, and groups to combine related updates; ensure each field is added at the
same level as schedule within that updates item so Dependabot uses them for PR
limiting, labeling, commit message formatting, and grouping.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 1-9: The dependabot YAML file has Prettier formatting issues; run
the formatter on .github/dependabot.yml (or run prettier --write
.github/dependabot.yml or prettier --write .) to fix
spacing/quotation/indentation, then stage and commit the updated
.github/dependabot.yml so the pipeline style checks pass (no code changes needed
beyond reformatting the existing dependabot configuration).

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 4-9: Update the Dependabot configuration under the existing
updates block (the entry with package-ecosystem: "github-actions", directory:
"/", schedule) to include optional management fields: add
open-pull-requests-limit to cap concurrent PRs, labels to tag created PRs, a
commit-message section to enforce a consistent prefix, and groups to combine
related updates; ensure each field is added at the same level as schedule within
that updates item so Dependabot uses them for PR limiting, labeling, commit
message formatting, and grouping.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f8330060-070a-441f-884c-5ad4f75a7b43

📥 Commits

Reviewing files that changed from the base of the PR and between 21c2861 and 716b9f8.

📒 Files selected for processing (1)

• .github/dependabot.yml