chore: consolidate dependabot config using directories array#19754
Closed
chore: consolidate dependabot config using directories array#19754
Conversation
Migrate from individual directory entries to the new 'directories' (plural) array feature announced in GitHub's public beta. This maximizes consolidation to reduce duplication while maintaining all existing functionality. Changes: - Consolidate 14 gomod entries into 2 entries (86% reduction) - Root module (special config with daily schedule, ignore/groups) - All tool modules (13 directories with weekly schedule) - Consolidate 9 github-actions entries into 1 entry (89% reduction) - Root workflows + all local actions in one consolidated entry - Consolidate 6 docker entries into 1 entry, added 4 missing images (10 total) - Added: ci/splunk, image/roxctl, scale/image, scanner/image/scannerctl - Reduce file size from 479 to 151 lines (68% reduction) - Update validation script to support both singular and plural formats Overall: 22 entries → 6 entries (73% reduction) All go.mod files maintain dependabot coverage. Some specific labels were removed for simplification (area/operator, area/scanner, ci-all-qa-tests, auto-merge, auto-retest), keeping only "dependencies" label. The monthly schedule for operator/tests/controller/metrics was changed to weekly for consistency. User request: Consolidate all go.mod, docker, and github-actions entries; verify all Dockerfiles are handled. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- In the consolidated gomod tools entry, some directories that previously had the
area/operatorlabel (e.g., under/operator/tools/...) now only get the generic dependency labels; confirm whether losing the more specific area label is intentional or reintroduce it via a separate entry or additional labels. - The previous
operator-sdkgomod configuration had agroups.operator-frameworkgrouping which is dropped in the consolidated gomod block; if that grouping is still desired, it should be preserved on the new multi-directory entry or split out into its own config. - Several docker directories that used to carry the
ci-all-qa-tests(and in some casesarea/operator) label (e.g.,image/rhel,image/postgres,scanner/image/*,operator/…) now only get the generic dependency label in the consolidated docker entry; please verify that this behavior change is intended or restore the tailored labels where needed.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In the consolidated gomod tools entry, some directories that previously had the `area/operator` label (e.g., under `/operator/tools/...`) now only get the generic dependency labels; confirm whether losing the more specific area label is intentional or reintroduce it via a separate entry or additional labels.
- The previous `operator-sdk` gomod configuration had a `groups.operator-framework` grouping which is dropped in the consolidated gomod block; if that grouping is still desired, it should be preserved on the new multi-directory entry or split out into its own config.
- Several docker directories that used to carry the `ci-all-qa-tests` (and in some cases `area/operator`) label (e.g., `image/rhel`, `image/postgres`, `scanner/image/*`, `operator/…`) now only get the generic dependency label in the consolidated docker entry; please verify that this behavior change is intended or restore the tailored labels where needed.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe pull request consolidates multiple Dependabot ecosystem entries (gomod, docker, github-actions) using a new Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/dependabot.yaml (2)
78-104: Consolidation of tool modules looks correct.The 13 tool module directories are properly consolidated. Minor observation: line 82 has a trailing slash (
/operator/tools/envtest/) while others don't. This likely works but is inconsistent.Optional: Remove trailing slash for consistency
directories: - '/operator/tools/controller-gen' - - '/operator/tools/envtest/' + - '/operator/tools/envtest' - '/operator/tools/kubebuilder/'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/dependabot.yaml around lines 78 - 104, The directories list in the dependabot configuration has an inconsistent trailing slash: change the entry '/operator/tools/envtest/' to '/operator/tools/envtest' to match the other directory entries in the package-ecosystem block and keep path formatting consistent with the existing entries (check the directories array that contains '/operator/tools/controller-gen', '/operator/tools/kubebuilder/', etc., and update only the '/operator/tools/envtest/' string).
106-127: Docker paths use relative format while others use absolute.Docker directories (lines 109-118) lack the leading
/prefix used consistently in gomod and github-actions sections. Both formats work, but the inconsistency may cause confusion for maintainers.Optional: Add leading `/` for consistency
- package-ecosystem: 'docker' directories: - - 'ci/splunk' - - 'image/postgres' - - 'image/rhel' - - 'image/roxctl' - - 'operator/' - - 'operator/tests/controller/metrics' - - 'scale/image' - - 'scanner/image/db' - - 'scanner/image/scanner' - - 'scanner/image/scannerctl' + - '/ci/splunk' + - '/image/postgres' + - '/image/rhel' + - '/image/roxctl' + - '/operator' + - '/operator/tests/controller/metrics' + - '/scale/image' + - '/scanner/image/db' + - '/scanner/image/scanner' + - '/scanner/image/scannerctl'🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/dependabot.yaml around lines 106 - 127, The Docker dependabot entry (package-ecosystem: 'docker') uses relative paths in the directories list; update each entry in that list (the strings under directories for the docker block) to use the same leading '/' style as other sections (e.g., change 'ci/splunk' to '/ci/splunk', 'image/postgres' to '/image/postgres', etc.) so the form is consistent with gomod and github-actions entries while leaving other keys (schedule, labels, commit-message) unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/dependabot.yaml:
- Around line 78-104: The directories list in the dependabot configuration has
an inconsistent trailing slash: change the entry '/operator/tools/envtest/' to
'/operator/tools/envtest' to match the other directory entries in the
package-ecosystem block and keep path formatting consistent with the existing
entries (check the directories array that contains
'/operator/tools/controller-gen', '/operator/tools/kubebuilder/', etc., and
update only the '/operator/tools/envtest/' string).
- Around line 106-127: The Docker dependabot entry (package-ecosystem: 'docker')
uses relative paths in the directories list; update each entry in that list (the
strings under directories for the docker block) to use the same leading '/'
style as other sections (e.g., change 'ci/splunk' to '/ci/splunk',
'image/postgres' to '/image/postgres', etc.) so the form is consistent with
gomod and github-actions entries while leaving other keys (schedule, labels,
commit-message) unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: f5bb9c71-51bf-4e49-88da-b16cc3294df9
📒 Files selected for processing (2)
.github/dependabot.yamlscripts/ci/jobs/check-dependabot-gomod.sh
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19754 +/- ##
=======================================
Coverage 49.59% 49.59%
=======================================
Files 2756 2756
Lines 208036 208036
=======================================
Hits 103183 103183
Misses 97192 97192
Partials 7661 7661
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
|
Images are ready for the commit at 43534a5. To use with deploy scripts, first |
porridge
requested changes
Apr 2, 2026
| schedule: | ||
| interval: 'weekly' | ||
| day: 'wednesday' | ||
| open-pull-requests-limit: 3 |
Contributor
There was a problem hiding this comment.
Is the open pull request limit of three now shared across all the directories or still per directory?
Contributor
Author
There was a problem hiding this comment.
You're right, this will apply to all deps. then it makes not use for us
Contributor
There was a problem hiding this comment.
Why not just bump it to 20 or so?
| open-pull-requests-limit: 3 | ||
| labels: | ||
| - "dependencies" | ||
| - "area/operator" |
Contributor
There was a problem hiding this comment.
I don't know why we needed the area/* labels but we will lose this now. Is this not a problem?
Contributor
Author
There was a problem hiding this comment.
I think labeler will add it back:
Lines 23 to 25 in 496d0ac
Comment on lines
-219
to
-222
| groups: | ||
| operator-framework: | ||
| patterns: | ||
| - "github.com/operator-framework/*" |
Contributor
There was a problem hiding this comment.
I think we need this to keep our sanity...
| day: 'wednesday' | ||
| open-pull-requests-limit: 3 | ||
| labels: | ||
| - "ci-all-qa-tests" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Migrate from individual directory entries to the new 'directories' (plural) array feature announced in GitHub's public beta. This maximizes consolidation to reduce duplication while maintaining all existing functionality.
User-facing documentation
Testing and quality
Automated testing
How I validated my change
change me!