feat(deps): Add uv ecosystem to Dependabot configuration #885
Description
Summary
Dependabot is configured for npm and GitHub Actions ecosystems but has no uv ecosystem entry. Python dependencies in pyproject.toml / uv.lock files will not receive automated security update PRs until uv is added to the Dependabot configuration.
Context
PR #868 introduces the first Python skill with dependencies managed via uv and pyproject.toml. Dependabot now supports uv as a native package ecosystem, understanding pyproject.toml and uv.lock directly. This avoids the impedance mismatch of using the pip ecosystem to manage uv-locked dependencies.
The existing .github/dependabot.yml follows a pattern of one entry per ecosystem with directory targeting. Each Python skill directory requires its own entry because Dependabot does not support glob patterns in the directory field.
Architecture: Multi-Skill Scaling
With independent Python projects (one pyproject.toml per skill), each skill directory needs a separate Dependabot entry. This is a one-time step per skill and should be part of the "new Python skill" checklist.
Example configuration for multiple skills:
- package-ecosystem: "uv"
directory: "/.github/skills/experimental/powerpoint"
schedule:
interval: "weekly"
day: "monday"
- package-ecosystem: "uv"
directory: "/.github/skills/shared/data-processor"
schedule:
interval: "weekly"
day: "monday"Changes Required
| File | Change |
|---|---|
.github/dependabot.yml |
Add uv ecosystem entry for each Python skill directory |
Initial entry for the PowerPoint skill:
- package-ecosystem: "uv"
directory: "/.github/skills/experimental/powerpoint"
schedule:
interval: "weekly"
day: "monday"Acceptance Criteria
-
.github/dependabot.ymlincludes auvecosystem entry for the PowerPoint skill directory - Dependabot recognizes the
pyproject.tomlanduv.lockin the targeted directory - Existing npm and GitHub Actions Dependabot entries remain unaffected
- Dependabot dashboard shows the uv ecosystem as active
- Future Python skills are added as separate
uvecosystem entries (no glob support exists)
Dependencies
None. This is a standalone configuration change.
Related
- PR feat(skills): add PowerPoint automation skill with YAML-driven deck generation #868 — PowerPoint automation skill (first Python skill)
- feat(ci): Add Python file extensions to copyright/SPDX header validation #883 — Copyright/SPDX header validation for Python
- feat(ci): Add Python to CodeQL analysis language matrix #884 — CodeQL Python integration
- feat(skills): Mandate unit testing, extend CI coverage, and document language support process #634 — Prior CI coverage expansion work (closed)