[ORG-WIDE] Enable Dependabot across all getlumos repositories #110
Description
Problem
NO getlumos repositories have Dependabot enabled:
- No automated dependency updates
- No security vulnerability alerts
- Dependencies become outdated
- Manual updates required
- Security patches delayed
This affects all 11 repositories in the organization.
Current State
Repositories without Dependabot:
- lumos (Rust + GitHub Actions)
- vscode-lumos (TypeScript + npm)
- nvim-lumos (Lua)
- intellij-lumos (Gradle + Kotlin)
- tree-sitter-lumos (npm + C)
- awesome-lumos (Rust + TypeScript)
- docs-lumos (npm + Docker)
- lumos-action (Shell + GitHub Actions)
- lumos-mode (Emacs Lisp)
- sublime-lumos (None)
- .github (GitHub Actions)
Proposed Solution
Enable Dependabot in ALL repositories with package managers.
Configuration: .github/dependabot.yml
Package ecosystems to monitor:
- cargo (Rust dependencies)
- npm (JavaScript/TypeScript)
- github-actions (workflow dependencies)
- gradle (Kotlin/Java)
Benefits
- Automated security updates
- Dependency freshness maintained
- Reduce manual update toil
- Faster vulnerability patching
- Consistent update cadence
- PR-based review process
Implementation Plan
Phase 1: Core Repositories (Week 1)
Enable for critical repos:
- lumos (cargo + github-actions)
- vscode-lumos (npm + github-actions)
- intellij-lumos (gradle + github-actions)
- tree-sitter-lumos (npm + github-actions)
Phase 2: Supporting Repositories (Week 2)
Enable for remaining repos:
5. awesome-lumos (cargo + npm)
6. docs-lumos (npm + docker)
7. lumos-action (github-actions)
8. nvim-lumos (github-actions only)
9. .github (github-actions)
Phase 3: Configuration Tuning (Week 3)
Optimize settings:
- Update schedule (daily vs weekly)
- Auto-merge minor/patch versions
- Grouping related updates
- PR limits per ecosystem
- Review assignment
Dependabot Configuration
For Rust repositories (lumos, awesome-lumos):
Monitors:
- Cargo.toml dependencies
- Cargo.lock versions
- Security advisories
- Major/minor/patch updates
Schedule: weekly
PR limit: 5 per ecosystem
Auto-merge: patch versions only (after CI passes)
For npm repositories (vscode-lumos, tree-sitter-lumos, docs-lumos):
Monitors:
- package.json dependencies
- package-lock.json versions
- Security advisories
- Peer dependency conflicts
Schedule: weekly
PR limit: 5 per ecosystem
Auto-merge: patch versions only
For GitHub Actions (all repos with workflows):
Monitors:
- Action versions (e.g., actions/checkout@v4)
- Deprecated actions
- Security updates
Schedule: weekly
PR limit: 3
Auto-merge: all (low risk)
For Gradle (intellij-lumos):
Monitors:
- build.gradle.kts dependencies
- Plugin versions
- Security advisories
Schedule: weekly
PR limit: 5
Auto-Merge Strategy
Safe to auto-merge:
- GitHub Actions updates (low risk)
- Patch version bumps (e.g., 1.2.3 to 1.2.4)
- Security updates (after CI passes)
Require manual review:
- Major version bumps (e.g., 1.x to 2.x)
- Minor version bumps (e.g., 1.2.x to 1.3.x)
- Breaking changes
Dependency Update Cadence
Schedule by ecosystem:
Daily:
- Security vulnerabilities (all ecosystems)
Weekly:
- cargo dependencies
- npm dependencies
- Gradle dependencies
- GitHub Actions
This balances freshness with PR noise.
PR Management
Dependabot will create PRs with:
- Changelog link
- Release notes
- Compatibility score
- Suggested reviewers
- Auto-passing CI (if configured)
Team should:
- Review breaking changes carefully
- Merge security updates quickly
- Batch minor updates when possible
- Monitor for regressions
Security Benefits
Dependabot alerts for:
- Known CVEs in dependencies
- Malicious packages
- Abandoned dependencies
- Security best practices
Automatic PRs for fixes means:
- Faster response to vulnerabilities
- No manual tracking needed
- Audit trail in PR history
Monitoring Dashboard
Track Dependabot effectiveness:
Metrics:
- Total dependency updates per month
- Security vulnerabilities fixed
- Average time to merge update
- PR noise vs value ratio
- Breaking changes caught
Review quarterly to tune configuration.
Rollout Plan
Week 1:
- Create dependabot.yml for lumos repo
- Test configuration
- Verify PRs created
- Tune settings
Week 2:
- Roll out to vscode-lumos
- Roll out to intellij-lumos
- Roll out to tree-sitter-lumos
Week 3:
- Roll out to remaining repos
- Document process
- Train team on review
Week 4:
- Monitor and tune
- Address any issues
- Collect feedback
Configuration Template
Standard dependabot.yml template for Rust+Actions repos:
Key sections:
- version: 2
- updates: array of ecosystems
- schedule: weekly
- assignees: team members
- reviewers: code owners
- labels: dependencies, automated
- open-pull-requests-limit: 5
Team Training
Document for team:
- How Dependabot works
- When to approve PRs
- How to handle breaking changes
- Auto-merge policies
- Security alert handling
Include in CONTRIBUTING.md for each repo.
Success Criteria
After 1 month:
- All repos have Dependabot enabled
- Security updates merged within 48 hours
- Non-security updates reviewed weekly
- Zero outdated dependencies over 6 months old
- Team comfortable with workflow
After 3 months:
- 90 percent of updates auto-merged (patches)
- Average PR merge time under 3 days
- Zero security vulnerabilities outstanding
- Dependency freshness score over 80 percent
Cost-Benefit Analysis
Cost:
- Initial configuration time: 4-6 hours
- PR review time: 1-2 hours per week
- Occasional breaking change fixes: 2-4 hours per month
Benefit:
- Security vulnerability fixes: Priceless
- Prevented technical debt: 10+ hours per month
- Reduced manual update toil: 5+ hours per month
- Peace of mind: Invaluable
ROI: Positive within first month
Acceptance Criteria
- Dependabot enabled in all applicable repos
- Configuration tested and working
- PRs being created automatically
- Auto-merge configured for safe updates
- Security alerts flowing to team
- Documentation updated
- Team trained on process
Related Issues
All repo-specific CI issues:
- lumos Fix release workflow: GitHub token permissions and deprecated actions #109: Release automation
- vscode-lumos Add format-on-save support for .lumos files #4: CI + publishing
- nvim-lumos Publish VSCode extension to VS Marketplace #1: CI validation
- tree-sitter-lumos Publish VSCode extension to VS Marketplace #1: CI + npm
- lumos-action Add quick fix suggestions for common errors #5: Action testing
- awesome-lumos Publish VSCode extension to VS Marketplace #1: Example validation
- sublime-lumos Publish VSCode extension to VS Marketplace #1: Syntax validation
References
- Dependabot documentation: https://docs.github.com/en/code-security/dependabot
- Configuration options: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
- Auto-merge setup: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions