DEN-5843: Standardize Dependabot configuration

[Copilot]

Establishes standardized Dependabot configuration for DEN repositories per DEN-5843. Reference implementation: getyourguide/schema-catalog-mcp.

Changes

• dependabot.yml: Daily updates at 08:30 Berlin time, patch+minor grouping, 7-day cooldown for github-actions
• dependabot-approve.yml: Auto-approves Dependabot PRs on open/synchronize
• dependabot-automerge.yml: Auto-merges approved PRs weekdays at 09:00 Berlin time with Slack notifications

# dependabot.yml example
groups:
  patch-and-minor:
    update-types:
      - patch
      - minor
cooldown:
  default-days: 7
  exclude:
    - getyourguide/*

Implementation Reasoning:
Daily schedule aligns with team hours. Grouped updates reduce PR noise. Cooldown periods prevent update fatigue. Automated approval/merge workflow reduces manual overhead for low-risk dependency updates.

Original prompt

Requested by: fabio.ueno@getyourguide.com

Branch naming: Please prefix your branch with DEN-5843-standardize-dependabot

Jira Ticket: DEN-5843

Context:
Standardize Dependabot configuration across DEN repositories with daily schedule, patch+minor grouping, cooldown periods, auto-approve on PR open, and daily weekday auto-merge. Reference: getyourguide/schema-catalog-mcp.

Work Needed:

1. Update .github/dependabot.yml (MERGE, do not replace):

   • For EVERY existing package-ecosystem entry, add/update these properties (preserve all existing directory, ignore, allow, registries, labels, reviewers, assignees, target-branch):

     open-pull-requests-limit: 5
     schedule:
       interval: daily
       time: "08:30"
       timezone: Europe/Berlin
     groups:
       patch-and-minor:
         update-types:
           - patch
           - minor

   • For github-actions ecosystem, add:

     cooldown:
       default-days: 7
       exclude:
         - getyourguide/*

   • For all other ecosystems (gomod, npm, pip, docker, gradle, maven, cargo, composer, bundler, etc.), add:

     cooldown:
       semver-major-days: 21
       semver-minor-days: 7
       semver-patch-days: 3
       default-days: 7
       exclude:
         - '*getyourguide*'

2. Create/replace .github/workflows/dependabot-approve.yml:

   name: Dependabot Approve
   
   on:
     pull_request:
       types: [opened, synchronize]
   
   concurrency:
     group: ${{ github.workflow }}${{ github.ref_name != github.event.repository.default_branch && github.ref || github.run_id }}
     cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
   
   permissions:
     contents: read
     pull-requests: write
   
   jobs:
     auto-approve:
       name: Approve PR
       uses: getyourguide/actions/.github/workflows/dependabot-approve.yml@main
       with:
         pr-url: ${{ github.event.pull_request.html_url }}

3. Create/replace .github/workflows/dependabot-automerge.yml:

   name: Dependabot Auto Merge
   
   on:
     workflow_dispatch:
     schedule:
       - cron: "0 9 * * 1-5"
   
   concurrency:
     group: ${{ github.workflow }}${{ github.ref_name != github.event.repository.default_branch && github.ref || github.run_id }}
     cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
   
   permissions:
     pull-requests: write
     id-token: write
   
   jobs:
     auto-merge:
       name: Auto merge
       uses: getyourguide/actions/.github/workflows/dependabot-merge.yml@main
       secrets: inherit
       with:
         slack_ping_support: true

4. Cleanup: Delete any existing workflows with different names serving the same purpose (e.g., auto-approve-dependabot.yml, dependabot-auto-approve.yml, auto-merge-dependabot.yml).

Implementation Reasoning:
Standardizing Dependabot configuration across DEN repositories to ensure consistent dependency update practices. Daily schedule at 08:30 Berlin time aligns with team working hours. Patch and minor updates are grouped to reduce PR noise. Cooldown periods prevent update fatigue (21 days for major, 7 for minor, 3 for patch). Auto-approve and auto-merge workflows automate the review process for low-risk dependency updates, freeing up developer time.

Note: Include the "Implementation Reasoning" section above in your PR description on GitHub.

Acceptance Criteria:

• dependabot.yml updated with new schedule, grouping, and cooldown rules for all existing ecosystems
• Both workflow files created/replaced with standardized versions
• Old workflow files with different names removed
• No existing ecosystem entries, directory paths, or custom settings lost
• YAML is valid and conforms to Dependabot v2 schema

Commit message: chore: standardize dependabot configuration
PR description: Standardizes Dependabot config (schedule, grouping, cooldown, auto-approve, auto-merge) per DEN guidelines. Reference: getyourguide/schema-catalog-mcp.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.