Summary
Dependabot is configured for npm and GitHub Actions ecosystems but has no uv ecosystem entry. Python dependencies in pyproject.toml / uv.lock files will not receive automated security update PRs until uv is added to the Dependabot configuration.
Context
PR #868 introduces the first Python skill with dependencies managed via uv and pyproject.toml. Dependabot now supports uv as a native package ecosystem, understanding pyproject.toml and uv.lock directly. This avoids the impedance mismatch of using the pip ecosystem to manage uv-locked dependencies.
The existing .github/dependabot.yml follows a pattern of one entry per ecosystem with directory targeting. Each Python skill directory requires its own entry because Dependabot does not support glob patterns in the directory field.
Architecture: Multi-Skill Scaling
With independent Python projects (one pyproject.toml per skill), each skill directory needs a separate Dependabot entry. This is a one-time step per skill and should be part of the "new Python skill" checklist.
Example configuration for multiple skills:
- package-ecosystem: "uv"
directory: "/.github/skills/experimental/powerpoint"
schedule:
interval: "weekly"
day: "monday"
- package-ecosystem: "uv"
directory: "/.github/skills/shared/data-processor"
schedule:
interval: "weekly"
day: "monday"Changes Required
| File |
Change |
.github/dependabot.yml |
Add uv ecosystem entry for each Python skill directory |
Initial entry for the PowerPoint skill:
- package-ecosystem: "uv"
directory: "/.github/skills/experimental/powerpoint"
schedule:
interval: "weekly"
day: "monday"Acceptance Criteria
Dependencies
None. This is a standalone configuration change.
Related
Summary
Dependabot is configured for npm and GitHub Actions ecosystems but has no
uvecosystem entry. Python dependencies inpyproject.toml/uv.lockfiles will not receive automated security update PRs until uv is added to the Dependabot configuration.Context
PR #868 introduces the first Python skill with dependencies managed via
uvandpyproject.toml. Dependabot now supportsuvas a native package ecosystem, understandingpyproject.tomlanduv.lockdirectly. This avoids the impedance mismatch of using thepipecosystem to manage uv-locked dependencies.The existing
.github/dependabot.ymlfollows a pattern of one entry per ecosystem with directory targeting. Each Python skill directory requires its own entry because Dependabot does not support glob patterns in thedirectoryfield.Architecture: Multi-Skill Scaling
With independent Python projects (one
pyproject.tomlper skill), each skill directory needs a separate Dependabot entry. This is a one-time step per skill and should be part of the "new Python skill" checklist.Example configuration for multiple skills:
Changes Required
.github/dependabot.ymluvecosystem entry for each Python skill directoryInitial entry for the PowerPoint skill:
Acceptance Criteria
.github/dependabot.ymlincludes auvecosystem entry for the PowerPoint skill directorypyproject.tomlanduv.lockin the targeted directoryuvecosystem entries (no glob support exists)Dependencies
None. This is a standalone configuration change.
Related