add dependabot

[kpj2006]

Dependabot only runs for ecosystems whose dependency files are present in the repository.
If a dependency ecosystem is not used (e.g., no Cargo.toml, go.mod, etc.), no PRs or notifications are triggered for them.

Any reviewers or assignees entries are best-effort and are silently ignored by GitHub if the referenced team does not exist in the target repository.(for now we didn't have maintainer architecture hence it ignore it for now)

Code review is handled by GitHub’s CODEOWNERS (.github/CODEOWNERS) by default.
This ensures correct reviewers are automatically requested without hard-coding org-specific teams in the template.

Maintainers can customize or remove reviewer/assignee settings once the repository’s maintainer structure is finalized.

Summary by CodeRabbit

• Chores
  • Configured automated weekly dependency updates (scheduled Mondays at 09:00 UTC) across supported ecosystems with standardized commit-message prefixes, branch naming, and pull-request labeling to streamline dependency management.
  • Set a limit of open update PRs to minimize noise; includes optional ignore rules for select ML libraries to avoid major update churn.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new repository-level Dependabot configuration file that standardizes automated weekly dependency updates across multiple ecosystems with scoped commit messages, labels, branch naming, and a 5-PR limit; Pip section contains commented ignore rules for some AI/ML libs.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	New repository-level Dependabot config enabling weekly (Monday 09:00 UTC) updates across multiple ecosystems (npm, Docker, GitHub Actions, Cargo, Maven, Gradle, Pip, etc.). Sets open-pull-requests-limit: 5, scoped chore(deps) commit messages, label conventions, hyphenated branch names, and includes commented-out Pip ignore rules for tensorflow, torch, and scikit-learn.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

Documentation

Suggested reviewers

• Zahnentferner

Poem

🐰 I hopped in to tidy your tree,
Chore(deps) commits, all neat and free,
Monday updates, gentle and bright,
Labels and branches kept just right,
A little rabbit cheer for dependency delight! ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'add dependabot' directly corresponds to the main change: adding a Dependabot configuration file (.github/dependabot.yml) to the repository.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1df0dcd and 8237844.

📒 Files selected for processing (2)

• .github/CODEOWNERS
• .github/dependabot.yml

🔇 Additional comments (1)

.github/dependabot.yml (1)

1-274: Configuration is well-structured for a template repository.

The file establishes a comprehensive Dependabot setup across multiple ecosystems with consistent scheduling, commit message conventions, and labeling. The broad coverage is appropriate for a template, and as documented in the PR description, Dependabot will silently skip ecosystems without corresponding dependency files. The use of AOSSIE-Org/maintainers as a placeholder is acknowledged and will defer to CODEOWNERS; this is reasonable for a template repository awaiting maintainer structure definition.

[Zahnentferner]

We do have a problem where many of our repos are lacking reliable maintainers.

A CODEOWNERS file could potentially help with this. But I am not entirely convinced.

Isn't it possible to automatically infer the code owners from the previous contributors?

We have the convention of having, for every project P, a team with the same name P. Wouldn't it be possible to automatically assign ownership of project P to the team P?

Otherwise, I am afraid that CODEOWNERS could become another bureaucratic boilerplate.

What we really need, I think, is a workflow that automatically assigns open PRs in a project P to be reviewed to members of team P and notifies them of this assignment. This would hopefully help in encouraging them to maintain the code.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 23-241: The file currently enables many package-ecosystem entries
which can produce up to ~70 concurrent Dependabot PRs; update the customization
guide to recommend and show how to use per-ecosystem "groups" and the beta
"multi-ecosystem-groups" to batch updates and reduce PR volume, and mention
adjusting "open-pull-requests-limit" per ecosystem; look for the
package-ecosystem blocks and the open-pull-requests-limit keys to add a short
explanatory note describing when to use "groups" vs "multi-ecosystem-groups" and
what trade-offs to expect.
- Around line 40-41: The pull-request-branch-name separator is set only for the
npm ecosystem (symbol: pull-request-branch-name with separator: "/"), causing
inconsistent branch names across ecosystems; fix by either removing the
pull-request-branch-name/ separator entry from the npm block so all ecosystems
use the default "-" OR add the same pull-request-branch-name: separator: "/"
stanza to every other ecosystem entry (docker, bundler, cargo, maven, gradle,
composer, gomod, pip, terraform, pub, nuget, github-actions) so all branch names
follow the same format.
- Around line 1-3: Remove the stale, redundant documentation link at the top of
.github/dependabot.yml by deleting the first comment line that contains
"https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/enabling-and-disabling-version-updates"
so only the current Dependabot documentation link (the existing third line)
remains; ensure no other changes are made to the remaining comments or the file
header.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Aggregate PR volume can reach 70 with all ecosystems active — consider groups or multi-ecosystem-groups.

Each ecosystem independently caps at 5 open PRs, so a polyglot repository that actually uses all 14 ecosystems could accumulate up to 70 concurrent Dependabot PRs. Two mitigation strategies are worth noting in the customization guide:

1. Per-ecosystem groups: Batch all updates for an ecosystem into a single PR (already GA).
2. multi-ecosystem-groups (currently in beta): Dependabot's multi-ecosystem groups feature allows you to create groups that span multiple package ecosystems and get a single PR with updates across all supported ecosystems, instead of receiving separate PRs for each ecosystem.

Adding a brief mention of these options under the CUSTOMIZATION GUIDE section would help adopters proactively manage review load.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 23 - 241, The file currently enables
many package-ecosystem entries which can produce up to ~70 concurrent Dependabot
PRs; update the customization guide to recommend and show how to use
per-ecosystem "groups" and the beta "multi-ecosystem-groups" to batch updates
and reduce PR volume, and mention adjusting "open-pull-requests-limit" per
ecosystem; look for the package-ecosystem blocks and the
open-pull-requests-limit keys to add a short explanatory note describing when to
use "groups" vs "multi-ecosystem-groups" and what trade-offs to expect.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 131-147: Update the Gradle dependabot block (package-ecosystem:
"gradle") to include a disambiguating label such as "kotlin" or "android" in its
labels list (in addition to "java") and add a short inline comment explaining
that this label helps distinguish Gradle/Kotlin/Android PRs from Maven ones;
target the labels key in the Gradle section so the change is localized and
discoverable.