Fallout-build/Fallout

Add Dependabot (or Renovate) for dependency updates

Open

#6 创建于 2026年5月18日

在 GitHub 查看
 (0 评论) (0 反应) (0 负责人)C# (1 fork)github user discovery
good first issuetarget/2026

仓库指标

Star
 (43 star)
PR 合并指标
 (PR 指标待抓取)

描述

Why

Part of the enterprise-grade supply-chain story. Manual NuGet dependency tracking is a non-starter for a project with ~30 direct deps + hundreds of transitives, and the recent CVE-2026-33116 / Scriban incident showed vulnerable deps land on develop and sit until someone notices.

Scope

  • Decide: Dependabot vs Renovate. Dependabot is simpler and GitHub-native; Renovate is more powerful (grouping, schedule, custom managers) but needs an app install. Default: Dependabot for speed-to-value; revisit Renovate if grouping/scheduling becomes a problem.
  • Configure for: nuget (Directory.Packages.props), github-actions (.github/workflows/*.yml), and the dotnet SDK version (global.json).
  • Schedule: weekly bundled PRs by ecosystem; daily for security advisories.
  • Auto-merge: not initially. Triage manually until the CI release pipeline is trustworthy.

Done when

  • .github/dependabot.yml (or renovate.json) committed
  • First batch of update PRs landed
  • Decision documented in CLAUDE.md / docs

Related: enterprise CI/CD positioning.

贡献者指南