Add Dependabot configuration for GitHub Actions

[ScottBrenner]

Description

Automates #230 - reference https://docs.github.com/en/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions#keeping-the-actions-in-your-workflows-secure-and-up-to-date

Suggest enabling https://docs.github.com/en/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-for-your-repository as well

Checklist

• I am familiar with the Contributing Guidelines.
• Testing
  • New or existing tests cover these changes
  • Added tests
  • Created an issue to follow-up
  • NA
• Documentation
  • The documentation is up to date with these changes
  • Added new documentation
  • NA

Summary by CodeRabbit

• Chores
  • Enabled automated dependency updates for GitHub Actions workflows, scheduling weekly checks to keep workflow dependencies up to date and improve security and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Dependabot configuration file at .github/dependabot.yml to enable automatic updates for GitHub Actions workflows (version: 2), scanning the repository root and scheduling weekly update checks.

Changes

Cohort / File(s)	Summary
Dependabot configuration \.github/dependabot\.yml	Added new Dependabot config (version 2) targeting GitHub Actions workflows in the repository root with a weekly update schedule.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add Dependabot configuration for GitHub Actions' directly and accurately summarizes the main change: adding a Dependabot configuration file for GitHub Actions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/dependabot.yml:
- Line 7: There's a typo in the comment string "Check the for updates once a
week" in .github/dependabot.yml; update that comment to read "Check for updates
once a week" so the extra "the" is removed and the sentence is correct.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 392e7a0 and 4bc6290.

📒 Files selected for processing (1)

• .github/dependabot.yml

🔇 Additional comments (1)

.github/dependabot.yml (1)

1-9: Configuration looks solid.

The Dependabot configuration is well-structured and correctly targets GitHub Actions workflows. The weekly schedule is a reasonable default for dependency checks, and using directory: "/" properly scans the entire repository recursively for workflow files.

If desired in the future, the configuration can be extended with additional fields like allow, labels, or reviewers to customize how Dependabot creates PRs, but the current minimal setup is appropriate for getting started.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

1-9: LGTM! Valid Dependabot configuration for GitHub Actions.

The configuration is correct and meets the PR objective of automating GitHub Actions updates. The weekly schedule is reasonable, and the directory setting will properly scan workflows in .github/workflows/.

You may consider adding optional enhancements to improve the Dependabot workflow:

• open-pull-requests-limit: 5 to control how many PRs are opened concurrently
• labels: ["dependencies", "github-actions"] to auto-label PRs for easier filtering
• reviewers or assignees to automatically assign team members to review Dependabot PRs
• commit-message: prefix: "chore" to customize commit message formatting

These are entirely optional and can be added incrementally as needed.

📝 Example with optional enhancements

 version: 2
 updates:
   # Enable version updates for GitHub Actions
   - package-ecosystem: "github-actions"
     # Look for GitHub Actions workflows in the `root` directory
     directory: "/"
     # Check for updates once a week
     schedule:
       interval: "weekly"
+    # Limit the number of open pull requests
+    open-pull-requests-limit: 5
+    # Add labels to pull requests
+    labels:
+      - "dependencies"
+      - "github-actions"

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4bc6290 and 01daad4.

📒 Files selected for processing (1)

• .github/dependabot.yml