ci: add dependabot.yml

Author: softwareentrepreneer

.github/dependabot.yml

@@ -0,0 +1,30 @@
+# Dependabot configuration for automatic dependency updates
+# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Update GitHub Actions versions
+  # This keeps your workflow actions secure and up-to-date
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates monthly (less noisy than weekly)
+      interval: "monthly"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    # Group all GitHub Actions updates into a single PR
+    # This reduces PR noise and makes reviewing easier
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    # Automatically add reviewers (optional - uncomment and customize)
+    # reviewers:
+    #   - "your-username"
+    # Limit how many Dependabot PRs can be open at once (optional)
+    # Default is 5, increase if you want more concurrent PRs
+    # open-pull-requests-limit: 10
+    #
+    # Note: Auto-merge is configured in GitHub repo settings, not here.
+    # Go to: Settings → General → Pull Requests → Allow auto-merge

afterpython/cli/commands/init.py

@@ -63,6 +63,7 @@ def init(ctx, yes):
     from afterpython.tools.commitizen import init_commitizen
     from afterpython.tools.github_actions import (
         create_workflow,
+        create_dependabot,
     )
 
     paths = ctx.obj["paths"]
@@ -84,6 +85,9 @@ def init(ctx, yes):
 
     init_website()
 
+    create_workflow("deploy")
+    create_workflow("ci")
+
     if yes or click.confirm(
         f"\nCreate .pre-commit-config.yaml in {afterpython_path}?", default=True
     ):
@@ -100,5 +104,9 @@ def init(ctx, yes):
         init_commitizen()
         create_workflow("release")
 
-    create_workflow("deploy")
-    create_workflow("ci")
+    if yes or click.confirm(
+        "\nCreate Dependabot configuration (.github/dependabot.yml) "
+        "to auto-update GitHub Actions versions?",
+        default=True,
+    ):
+        create_dependabot()

afterpython/doc/package_maintenance/ci_cd.md

@@ -19,11 +19,11 @@ See [PyPI and GitHub Releases](./release_management.md#pypi-and-github-releases)
 ### `deploy.yml`
 Deploys your project website to GitHub Pages.
 
+### `dependabot.yml` (optional)
+Automatically updates GitHub Actions versions.
+
 ---
 ## Security Scanning 🚧
 
 ---
 ## Code Coverage 🚧
-
----
-## GitHub Dependabot 🚧

afterpython/doc/references/roadmap.md

@@ -9,8 +9,6 @@ This roadmap is tentative and subject to change
 - AI chatbot like kapa.ai using WebLLM
 - full-text search engine using pagefind
 - incremental build, only build changed content (for `ap dev`)
-- github dependabot
-    - update the versions in github workflows (e.g. `ci.yml`, not `pyproject.toml` coz `pcu` handles it already)
 - integrate with `git-cliff` for changelog generation
 - integrate with `pixi`, supports `conda install`
 - supports docs built by different engines? e.g. Sphix, MkDocs

afterpython/templates/ci-workflow-template.yml

@@ -95,8 +95,9 @@ jobs:
 
       - name: Run tests with pytest
         # Run pytest with verbose output
-        # Even without tests, pytest will exit successfully (0 tests collected)
-        run: pytest -v
+        # Exit code 5 (no tests collected) is treated as success
+        run: |
+          pytest -v || if [ $? -eq 5 ]; then exit 0; else exit $?; fi
 
   # Job 4: Test Suite - Pixi Workflow
   # Pixi-based testing for projects using pixi.toml
@@ -131,7 +132,9 @@ jobs:
         #   py311 = ["py311", "test"]
         #   [feature.test.tasks]
         #   test = "pytest -v"
-        run: pixi run -e ${{ matrix.environment }} test
+        # Note: Exit code 5 (no tests collected) is treated as success
+        run: |
+          pixi run -e ${{ matrix.environment }} test || if [ $? -eq 5 ]; then exit 0; else exit $?; fi
 
   # Job 5: Build Verification
   # Ensures the package can be built successfully

afterpython/templates/dependabot-template.yml

@@ -0,0 +1,30 @@
+# Dependabot configuration for automatic dependency updates
+# See: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # Update GitHub Actions versions
+  # This keeps your workflow actions secure and up-to-date
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates monthly (less noisy than weekly)
+      interval: "monthly"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    # Group all GitHub Actions updates into a single PR
+    # This reduces PR noise and makes reviewing easier
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    # Automatically add reviewers (optional - uncomment and customize)
+    # reviewers:
+    #   - "your-username"
+    # Limit how many Dependabot PRs can be open at once (optional)
+    # Default is 5, increase if you want more concurrent PRs
+    # open-pull-requests-limit: 10
+    #
+    # Note: Auto-merge is configured in GitHub repo settings, not here.
+    # Go to: Settings → General → Pull Requests → Allow auto-merge

afterpython/tools/github_actions.py

@@ -1,34 +1,48 @@
 import shutil
+from pathlib import Path
 
 import click
 
 import afterpython as ap
 
 
-def create_workflow(workflow_name: str):
-    if ".yml" in workflow_name:
-        workflow_name = workflow_name.replace(".yml", "")
-
-    user_path = ap.paths.user_path
-    workflow_dir = user_path / ".github" / "workflows"
-    workflow_path = workflow_dir / f"{workflow_name}.yml"
-
-    if workflow_path.exists():
-        click.echo(
-            f"GitHub Actions {workflow_name} workflow {workflow_path} already exists"
-        )
+def _copy_github_template(template_name: str, target_path: Path):
+    """Helper to copy GitHub-related templates"""
+    if target_path.exists():
+        click.echo(f"{target_path} already exists")
         return
 
-    # Create .github/workflows directory if it doesn't exist
-    workflow_dir.mkdir(parents=True, exist_ok=True)
+    # Create parent directory if it doesn't exist
+    target_path.parent.mkdir(parents=True, exist_ok=True)
 
     # Copy template from package
-    template_path = ap.paths.templates_path / f"{workflow_name}-workflow-template.yml"
+    template_path = ap.paths.templates_path / template_name
     if not template_path.exists():
         raise FileNotFoundError(
             f"Template file not found: {template_path}\n"
             "This might indicate a corrupted installation. Please reinstall afterpython."
         )
 
-    shutil.copy(template_path, workflow_path)
-    click.echo(f"Created {workflow_path}")
+    shutil.copy(template_path, target_path)
+    click.echo(f"Created {target_path}")
+
+
+def create_workflow(workflow_name: str):
+    """Create a GitHub Actions workflow from template"""
+    if ".yml" in workflow_name:
+        workflow_name = workflow_name.replace(".yml", "")
+
+    user_path = ap.paths.user_path
+    workflow_path = user_path / ".github" / "workflows" / f"{workflow_name}.yml"
+    template_name = f"{workflow_name}-workflow-template.yml"
+
+    _copy_github_template(template_name, workflow_path)
+
+
+def create_dependabot():
+    """Create Dependabot configuration for GitHub Actions updates"""
+    user_path = ap.paths.user_path
+    dependabot_path = user_path / ".github" / "dependabot.yml"
+    template_name = "dependabot-template.yml"
+
+    _copy_github_template(template_name, dependabot_path)