Skip to content

Onboard repository to Dependabot for automated testing and AI dependency updates #800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Oct 10, 2025
Merged

Onboard repository to Dependabot for automated testing and AI dependency updates #800

merged 13 commits into from
Oct 10, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 19, 2025
edited
Loading

Successfully onboarded the repository to Dependabot for automated dependency updates, refined based on maintainer feedback to target testing dependencies plus critical Microsoft.Extensions.AI packages with optimal organization.

What's Added

Dependabot Configuration (.github/dependabot.yml)

  • Testing Dependency Monitoring: Automatically tracks testing dependencies from Directory.Packages.props that use version variables (e.g., $(System9Version))
  • Microsoft.Extensions.AI Monitoring: Ensures Microsoft.Extensions.AI packages with version variables are updated in lockstep with the library
  • GitHub Actions Monitoring: Keeps workflow actions updated for security and compatibility
  • Weekly Schedule: Updates run every Monday at 06:00 UTC to balance freshness with maintenance overhead

Focused Package Grouping

To minimize PR noise, related packages are grouped together:

  • Microsoft Extensions AI: Microsoft.Extensions.AI.Abstractions and Microsoft.Extensions.AI (using version variables)
  • Testing Frameworks: xunit, Microsoft.NET.Test.Sdk, coverlet, Moq, GitHubActionsTestLogger
  • Microsoft Extensions Testing: Microsoft.Extensions packages used in tests (DependencyInjection, Hosting, Logging, Logging.Console, Options - all using version variables)
  • OpenTelemetry Testing: OpenTelemetry packages for testing and samples
  • Serilog Testing: Serilog packages for testing and samples
  • Other Testing: Individual testing packages like Anthropic.SDK, JsonSchema.Net, etc.

Key Features

  • Central Package Management: Fully supports the repository's Directory.Packages.props with version variables like $(System9Version)
  • Multi-Framework Compatible: Works seamlessly with netstandard2.0, net8.0, and net9.0 targets
  • Controlled Updates: Limited to 5 concurrent dependency PRs and 5 GitHub Actions PRs
  • Proper Labeling: All PRs tagged with dependencies and testing or github-actions
  • Security Focused: Ensures timely updates for security vulnerabilities in testing infrastructure
  • Clean Configuration: Uses group-based approach with wildcard ignore patterns for maintainability
  • Version Variable Focus: Only monitors packages using version variables that benefit from automated coordination, excluding packages with fixed version strings that require manual updates

Scope

Included: Testing dependencies and Microsoft.Extensions.AI packages that use version variables:

  • Test frameworks (xunit, Moq, coverlet)
  • Microsoft.Extensions packages used in tests with $(System9Version)
  • Microsoft.Extensions.AI.Abstractions and Microsoft.Extensions.AI with $(MicrosoftExtensionsAIVersion)
  • OpenTelemetry packages for samples/testing
  • Serilog packages for samples/testing
  • Development tools (Anthropic.SDK, JsonSchema.Net, etc.)

Excluded:

  • Product dependencies with fixed version strings (Microsoft.Extensions.Hosting.Abstractions, System.Text.Json, etc.)
  • Packages requiring manual coordination (Microsoft.Extensions.TimeProvider.Testing at 9.5.0, Microsoft.Extensions.AI.OpenAI at 9.8.0-preview)
  • Framework-specific packages for netstandard2.0, net8.0, net9.0
  • Build infrastructure packages (Microsoft.SourceLink.GitHub)

Benefits

  1. Automated Security Updates: Critical security patches applied automatically to testing infrastructure
  2. AI Package Synchronization: Microsoft.Extensions.AI packages with version variables stay in sync with library development
  3. Reduced Maintenance Overhead: Grouped updates minimize individual PR reviews
  4. Compatibility Assurance: Regular updates help catch breaking changes early
  5. Product Stability: Core product dependencies and packages with fixed versions remain stable through manual management
  6. Coordination Flexibility: Packages requiring manual framework version updates (e.g., $(System9Version) to $(System10Version)) are excluded since they need coordinated changes anyway

The configuration ensures Microsoft.Extensions.AI packages are kept current while maintaining careful control over product dependencies and excluding packages with fixed versions that require manual coordination with framework updates.

Fixes #799.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI changed the title [WIP] Onboard repo to dependabot Onboard repository to Dependabot for automated dependency updates Sep 19, 2025
@Copilot Copilot AI requested a review from eiriktsarpalis September 19, 2025 13:00
Copilot finished work on behalf of eiriktsarpalis September 19, 2025 13:00
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
@Copilot Copilot AI changed the title Onboard repository to Dependabot for automated dependency updates Onboard repository to Dependabot for automated testing dependency updates Sep 19, 2025
@Copilot Copilot AI requested a review from eiriktsarpalis September 19, 2025 13:09
Copilot finished work on behalf of eiriktsarpalis September 19, 2025 13:09
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
@Copilot Copilot AI requested a review from eiriktsarpalis September 19, 2025 13:36
Copilot finished work on behalf of eiriktsarpalis September 19, 2025 13:36
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
Copilot finished work on behalf of eiriktsarpalis September 19, 2025 13:42
@Copilot Copilot AI requested a review from eiriktsarpalis September 19, 2025 13:42
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
@Copilot Copilot AI changed the title Onboard repository to Dependabot for automated testing dependency updates Onboard repository to Dependabot for automated testing and AI dependency updates Sep 19, 2025
Copilot finished work on behalf of eiriktsarpalis September 19, 2025 13:56
@Copilot Copilot AI requested a review from eiriktsarpalis September 19, 2025 13:56
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
@Copilot Copilot AI requested a review from eiriktsarpalis September 19, 2025 14:01
Copilot finished work on behalf of eiriktsarpalis September 19, 2025 14:01
eiriktsarpalis
eiriktsarpalis reviewed Sep 19, 2025
View reviewed changes
@eiriktsarpalis eiriktsarpalis marked this pull request as ready for review September 19, 2025 15:29
halter73
halter73 approved these changes Oct 9, 2025
View reviewed changes
@halter73 halter73 mentioned this pull request Oct 9, 2025
Closed
10 tasks
@Copilot Copilot AI requested a review from eiriktsarpalis October 10, 2025 13:16
Copilot finished work on behalf of eiriktsarpalis October 10, 2025 13:16
@eiriktsarpalis eiriktsarpalis merged commit 564f210 into main Oct 10, 2025
3 checks passed
@eiriktsarpalis eiriktsarpalis deleted the copilot/fix-799 branch October 10, 2025 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@halter73 halter73 halter73 approved these changes

@stephentoub stephentoub Awaiting requested review from stephentoub

@eiriktsarpalis eiriktsarpalis Awaiting requested review from eiriktsarpalis

Assignees

@eiriktsarpalis eiriktsarpalis

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Onboard repo to dependabot

3 participants

@Copilot @halter73 @eiriktsarpalis