Fix Dependabot CI failures and improve monorepo configuration

[Copilot]

Problem

Dependabot PRs were consistently failing CI checks due to lockfile synchronization issues in the pnpm monorepo setup. The root cause was:

1. CI workflow used --frozen-lockfile which prevents lockfile updates during dependency installation
2. Dependabot was configured to update individual workspace packages (/packages/mobile and /packages/server) instead of the root directory
3. Lockfile conflicts occurred because Dependabot would update workspace package.json files but the root pnpm-lock.yaml remained unchanged

This resulted in CI failures with errors like:

ERR_PNPM_OUTDATED_LOCKFILE Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with packages/server/package.json

Solution

1. Smart CI Lockfile Handling

Updated .github/workflows/ci.yml to conditionally handle Dependabot PRs:

- name: Install dependencies
  run: |
    if [[ "${{ github.actor }}" == "dependabot[bot]" ]]; then
      pnpm install --no-frozen-lockfile
    else
      pnpm install --frozen-lockfile
    fi

This approach:

• ✅ Allows Dependabot PRs to update lockfiles as needed
• ✅ Maintains security by keeping --frozen-lockfile for regular PRs
• ✅ Preserves existing CI behavior for non-Dependabot changes

2. Optimized Dependabot Configuration

Simplified .github/dependabot.yml for better pnpm monorepo compatibility:

• Removed workspace-specific configurations that caused lockfile conflicts
• Centralized dependency management to root directory only
• Fixed placeholder values (replaced maintainer-username with actual GitHub username)
• Improved commit message formatting with proper scope prefixes

Before:

- package-ecosystem: "npm"
  directory: "/packages/mobile"  # ❌ Causes lockfile issues
- package-ecosystem: "npm"
  directory: "/packages/server"  # ❌ Causes lockfile issues

After:

- package-ecosystem: "npm"
  directory: "/"  # ✅ Manages entire monorepo correctly

Testing

• ✅ Local build, lint, and test pipelines all pass
• ✅ Conditional logic tested for both regular users and Dependabot
• ✅ Configuration validated against pnpm monorepo best practices
• ✅ Documentation updated to reflect changes

Impact

• Dependabot PRs will now pass CI checks instead of failing on lockfile conflicts
• Security maintained for regular PRs with frozen lockfile validation
• Simplified configuration reduces maintenance overhead
• Better commit messages with proper scope prefixes for dependency updates

Future Dependabot PRs will use format like chore(deps): bump package-name from X.X.X to Y.Y.Y and successfully pass all CI checks.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.