Skip to content

Clarify Dependabot exclusion of test fixtures with comments#190

Closed
dreadn0ught wants to merge 2 commits into
mainfrom
claude/dependabot-ignore-tests-mgyrg4
Closed

Clarify Dependabot exclusion of test fixtures with comments#190
dreadn0ught wants to merge 2 commits into
mainfrom
claude/dependabot-ignore-tests-mgyrg4

Conversation

@dreadn0ught

Copy link
Copy Markdown
Contributor

Summary

Updated the Dependabot configuration to include explanatory comments about why test fixtures are excluded from automated version updates, and removed an outdated exclusion pattern.

Key Changes

  • Added multi-line comment explaining that the test/ directory contains throwaway fixture packages that are intentionally pinned, out of date, or deliberately broken
  • Clarified that the ** glob pattern recursively matches all nested fixture manifests
  • Removed the ossprey/test_*.py exclusion pattern, which is no longer needed

Details

The changes improve maintainability by documenting the rationale behind excluding test fixtures from Dependabot's automated version update PRs. This prevents unnecessary churn from dependency updates on intentionally broken or pinned test fixtures while making the configuration's intent clear to future maintainers.

https://claude.ai/code/session_016t4tMDhWdVwUCe4WXPFWSS

claude added 2 commits July 6, 2026 10:47
Drop the inert `ossprey/test_*.py` exclude-path (Dependabot only scans
dependency manifests, never Python source), and document that `test/**`
recursively covers every nested fixture manifest so no version-update PRs
are opened for the intentionally-pinned/broken test packages.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016t4tMDhWdVwUCe4WXPFWSS
exclude-paths only suppresses pip version-update PRs; it does not stop
Dependabot *security* alerts/PRs, and the npm/yarn/docker fixtures ride
GitHub's native dependency graph which has no path exclusion. Those
intentionally-vulnerable test fixtures were showing up as open alerts.

Rather than disable Dependabot alerts (needed repo-wide for compliance),
add a weekly workflow that dismisses (as not_used) any open alert whose
manifest lives under test/, leaving real dependency alerts untouched.

Needs a repo secret DEPENDABOT_ALERTS_TOKEN (fine-grained PAT with
"Dependabot alerts: Read and write"); the built-in GITHUB_TOKEN cannot
write Dependabot alerts.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016t4tMDhWdVwUCe4WXPFWSS
@dreadn0ught dreadn0ught closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants