Enable Dependabot

[koic]

Motivation and Context

Follow-up to #3233.

Configure Dependabot to automatically detect updates to the actions used in GitHub Actions (e.g., actions/checkout) and create pull requests for them.

Based on experience, checking for updates on a weekly interval should work well.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Protocol Documentation
• My changes follows MCP security best practices
• I have updated the server's README accordingly
• I have tested this with an LLM client
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have documented all environment variables and configuration options

[cliffhall]

@claude review

[claude]

Claude finished @cliffhall's task in 1m 16s —— View job

---

PR Review: Enable Dependabot

• Gather context
• Review .github/dependabot.yml
• Post review feedback

---

Summary

The configuration is valid and achieves its stated goal. A few optional improvements are worth considering.

---

.github/dependabot.yml — Review

The configuration is correct. version: 2, package-ecosystem: 'github-actions', directory: '/', and interval: 'weekly' are all valid per the Dependabot schema.

Observations

1. Version inconsistency in workflows (informational)

Scanning the existing workflows, astral-sh/setup-uv is currently pinned at two different versions:

uses: astral-sh/setup-uv@v3   # in one workflow
uses: astral-sh/setup-uv@v5   # in another

Dependabot will start raising PRs for these, which is good — but the existing inconsistency may generate noisy/conflicting PRs. Consider aligning the versions to @v5 before or alongside this change.

2. Consider grouping GitHub Actions updates

With 9+ distinct actions in use, weekly Dependabot runs could generate several individual PRs. The groups option (available since Dependabot v2) bundles related updates into a single PR:

version: 2
updates:
  - package-ecosystem: 'github-actions'
    directory: '/'
    schedule:
      interval: 'weekly'
    groups:
      github-actions:
        patterns:
          - '*'

This is a quality-of-life suggestion, not a blocker.

3. npm and Python ecosystems

This PR intentionally covers only GitHub Actions (as noted in the description — it's a follow-up to #3233). The git history confirms Dependabot is already bumping npm packages, so that ecosystem appears to be covered. If Python (pip/uv) packages aren't yet covered, that would be worth a separate follow-up.

---

Verdict

Looks good. The PR is minimal, correct, and does exactly what it says. The setup-uv version inconsistency is worth fixing but is a pre-existing issue unrelated to this PR. The grouping suggestion is optional but recommended to reduce PR noise once Dependabot starts running.