Dependabot groups feature

[kallal79]

Implementation of validator, tests, and example configuration to handle grouped or multi-ecosystem updates for Dependabot (issue #73).

Summary by CodeRabbit

• New Features
  • Added setup scripts for project initialization (Windows PowerShell and Unix-like systems)
  • Added Dependabot configuration validator tool with documentation
• Documentation
  • Added "Automation & CI" section to README with setup instructions
• Tests
  • Added comprehensive test suite for configuration validation
• Chores
  • Configured npm package with test runner and dependencies
  • Updated .gitignore for Node module dependencies

[coderabbitai]

Walkthrough

Project initialization with npm package configuration, Dependabot validation script, platform-specific setup scripts (Bash and PowerShell), and corresponding test suites. Establishes development environment foundation with testing infrastructure using Vitest.

Changes

Cohort / File(s)	Summary
Project Configuration package.json, .gitignore	Added npm package manifest with Vitest and js-yaml dependencies, test and check scripts, and root-level node_modules ignore rule.
Documentation README.md	Added "🧰 Automation & CI" section documenting Dependabot configuration validator usage, test locations, and sample configuration reference.
Dependabot Validation scripts/validate-dependabot.js, tests/dependabot.test.js	Introduced validateDependabot script that parses and validates Dependabot YAML structure for presence of groups or multi-ecosystem indicators; includes comprehensive test suite covering file-not-found, YAML parse errors, missing updates array, and valid configurations.
Setup Scripts setup.sh, setup.ps1	Added Bash and PowerShell initialization scripts that verify package.json existence, install npm dependencies, and run test suite.
Sample Tests tests/sample.test.js	Added basic sanity test demonstrating Vitest functionality with simple arithmetic assertion.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Bash Lang, Documentation

Poem

🐰 A template springs to life so bright,
With tests and scripts that shine just right,
Dependabot now knows its place,
npm runs with grace and pace!
Setup hops on any OS—
Hop, hop, hop, here we go! 🚀

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Dependabot groups feature' directly relates to the main changes in the pull request, which implement a Dependabot validator and configuration for handling grouped updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 1-14: The project is mixing CommonJS and ESM: tests/imports expect
ESM but validate-dependabot.js uses CommonJS while package.json lacks "type":
"module"; fix by either adding "type": "module" to package.json to enable ESM
globally, or convert validate-dependabot.js to ESM (replace
require/module.exports with import/export syntax and update any
__dirname/__filename usage), then run tests to confirm imports of
validate-dependabot.js succeed.

In `@scripts/validate-dependabot.js`:
- Around line 58-61: The file currently only exports validateDependabot and
lacks a CLI entry point; add a main block that runs validateDependabot when the
script is executed directly (check if require.main === module), await the
returned Promise (or call .then/.catch) and exit with appropriate status codes
on success/failure while logging errors via console.error; keep the existing
module.exports = { validateDependabot } so tests still import the function.
- Around line 30-34: Remove the redundant null check on doc: replace the
conditional that currently reads if (!doc || !Array.isArray(doc.updates)) with a
single Array.isArray check (if (!Array.isArray(doc.updates))) since earlier
logic already returns for null/non-object doc; keep pushing the same 'missing
updates array' into issues and returning { ok: false, issues } when the updates
array is not present.
- Around line 36-49: The validator misses checking for a top-level
multi-ecosystem-groups key; update the logic that sets foundGroup to also
inspect doc['multi-ecosystem-groups'] (in the same place it checks doc.groups)
so top-level multi-ecosystem-groups will set foundGroup=true; keep the existing
loop over doc.updates and checks on upd['multi-ecosystem'] and
upd['multi-ecosystem-groups'] unchanged.

In `@setup.ps1`:
- Around line 2-10: Replace direct host writes with pipeline-friendly output:
change the three Write-Host calls ("Running setup (PowerShell)", "Installing npm
dependencies...", "Running tests...") to Write-Output (or Write-Information if
you need informational stream semantics) so messages can be captured/redirected
in CI; keep Test-Path, Write-Error, exit logic and the npm install and
$LASTEXITCODE checks unchanged.

In `@tests/dependabot.test.js`:
- Around line 18-21: Add a beforeAll cleanup to ensure test isolation by
invoking the existing removeConfig() before tests run; locate the test suite in
describe('dependabot configuration validation', ...) and add a beforeAll(() => {
removeConfig(); }) (note beforeAll is already imported), keeping the current
afterAll cleanup intact so tests start and end with a clean state.
- Around line 13-16: The removeConfig helper currently unlinks the file but
leaves the .github directory; update removeConfig to also remove the .github
directory if it is empty after deleting the dependabot.yml file. In the
removeConfig function, after fs.unlinkSync(file) check the directory path (same
as used in writeConfig, e.g., path.join(process.cwd(), '.github')) and call
fs.rmdirSync or fs.rmSync with options only when the directory exists and is
empty to avoid deleting unrelated files; ensure errors are handled or ignored
safely so tests don't fail.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 10f32ad and 063ebff.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• .gitignore
• README.md
• package.json
• scripts/validate-dependabot.js
• setup.ps1
• setup.sh
• tests/dependabot.test.js
• tests/sample.test.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verification script for module system compatibility

echo "=== Checking for vitest config ==="
fd -t f "vitest.config" --max-depth 2

echo -e "\n=== Checking package.json type field ==="
cat package.json | jq '.type // "not specified (defaults to commonjs)"'

echo -e "\n=== First lines of validate-dependabot.js ==="
head -10 scripts/validate-dependabot.js

echo -e "\n=== Checking for test files and their module syntax ==="
fd -t f "\.test\." --max-depth 3 | head -5
echo -e "\n=== First lines of a test file ==="
fd -t f "\.test\." --max-depth 3 | head -1 | xargs head -10 2>/dev/null || echo "No test files found"

Repository: AOSSIE-Org/Template-Repo

Length of output: 1199

---

Resolve the module system mismatch by adding "type": "module" or converting validate-dependabot.js to ESM.

Test files use ESM syntax (import statements) and import validate-dependabot.js as an ES module, but validate-dependabot.js uses CommonJS (require/module.exports). Since package.json does not specify "type": "module", Node.js defaults to CommonJS, creating an inconsistency. For consistency and clarity, either add "type": "module" to enable ESM throughout the project, or convert validate-dependabot.js to ESM.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 1 - 14, The project is mixing CommonJS and ESM:
tests/imports expect ESM but validate-dependabot.js uses CommonJS while
package.json lacks "type": "module"; fix by either adding "type": "module" to
package.json to enable ESM globally, or convert validate-dependabot.js to ESM
(replace require/module.exports with import/export syntax and update any
__dirname/__filename usage), then run tests to confirm imports of
validate-dependabot.js succeed.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Redundant null check for doc.

The check !doc on line 31 is redundant because lines 26-28 already return early if doc is null or not an object.

♻️ Proposed fix

   // the structure: typically at root there's "updates" array.
-  if (!doc || !Array.isArray(doc.updates)) {
+  if (!Array.isArray(doc.updates)) {
     issues.push('missing updates array');
     return { ok: false, issues };
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// the structure: typically at root there's "updates" array.
	if (!doc || !Array.isArray(doc.updates)) {
	issues.push('missing updates array');
	return { ok: false, issues };
	}
	// the structure: typically at root there's "updates" array.
	if (!Array.isArray(doc.updates)) {
	issues.push('missing updates array');
	return { ok: false, issues };
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/validate-dependabot.js` around lines 30 - 34, Remove the redundant
null check on doc: replace the conditional that currently reads if (!doc ||
!Array.isArray(doc.updates)) with a single Array.isArray check (if
(!Array.isArray(doc.updates))) since earlier logic already returns for
null/non-object doc; keep pushing the same 'missing updates array' into issues
and returning { ok: false, issues } when the updates array is not present.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

GitHub Dependabot dependabot.yml schema multi-ecosystem-groups top-level configuration

💡 Result:

dependabot.yml top-level schema for multi-ecosystem groups

multi-ecosystem-groups is a top-level key (sibling of updates) in version: 2 configs, and its value is a map of group identifiers → group configuration. Each group is then referenced from individual updates entries via multi-ecosystem-group. When you use multi-ecosystem-group, patterns is required on that updates entry. [1]

version: 2

multi-ecosystem-groups:
  infrastructure:
    schedule:
      interval: weekly
    assignees: ["@platform-team"]
    labels: ["infrastructure", "dependencies"]
    milestone: 10
    target-branch: "main"
    commit-message:
      prefix: "infra"
      include: "scope"
    pull-request-branch-name:
      separator: "-"
      prefix: "deps"

updates:
  - package-ecosystem: docker
    directory: /
    patterns: ["*"]
    multi-ecosystem-group: infrastructure

  - package-ecosystem: terraform
    directory: /
    patterns: ["*"]
    multi-ecosystem-group: infrastructure

What you can configure at the group level

GitHub documents these group-level keys for multi-ecosystem-groups:

• schedule
• assignees (additive with ecosystem-level)
• labels (additive with ecosystem-level)
• milestone (group-only)
• target-branch (group-only)
• commit-message (group-only)
• pull-request-branch-name (group-only) [1][2]

Important: If you set group-only keys inside an updates: entry, Dependabot errors; those keys must be under multi-ecosystem-groups. [2]

Sources: [1] GitHub Docs – “Configuring multi-ecosystem updates for Dependabot” (GHES 3.20) • [2] Same doc, “Group-only keys” section.

---

Add check for top-level multi-ecosystem-groups to the validator.

The code checks for top-level groups (line 38) but misses top-level multi-ecosystem-groups, which is a valid Dependabot configuration key. The validator should detect this at the top level, just as it detects updates with individual multi-ecosystem-groups. Add a check for doc['multi-ecosystem-groups'] alongside the existing doc.groups check.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/validate-dependabot.js` around lines 36 - 49, The validator misses
checking for a top-level multi-ecosystem-groups key; update the logic that sets
foundGroup to also inspect doc['multi-ecosystem-groups'] (in the same place it
checks doc.groups) so top-level multi-ecosystem-groups will set foundGroup=true;
keep the existing loop over doc.updates and checks on upd['multi-ecosystem'] and
upd['multi-ecosystem-groups'] unchanged.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Script lacks CLI entry point for direct execution.

The README instructs users to run node scripts/validate-dependabot.js, but the script only exports validateDependabot without executing it. Add a main block to enable direct CLI usage.

🔧 Proposed fix to add CLI entry point

 // Export for tests
 module.exports = {
   validateDependabot,
 };
+
+// CLI entry point
+if (require.main === module) {
+  const result = validateDependabot();
+  if (result.ok) {
+    console.log('✓ Dependabot configuration is valid');
+  } else {
+    console.error('✗ Validation failed:');
+    result.issues.forEach((issue) => console.error(`  - ${issue}`));
+    process.exit(1);
+  }
+}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Export for tests
	module.exports = {
	validateDependabot,
	};
	// Export for tests
	module.exports = {
	validateDependabot,
	};
	// CLI entry point
	if (require.main === module) {
	const result = validateDependabot();
	if (result.ok) {
	console.log('✓ Dependabot configuration is valid');
	} else {
	console.error('✗ Validation failed:');
	result.issues.forEach((issue) => console.error(` - ${issue}`));
	process.exit(1);
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/validate-dependabot.js` around lines 58 - 61, The file currently only
exports validateDependabot and lacks a CLI entry point; add a main block that
runs validateDependabot when the script is executed directly (check if
require.main === module), await the returned Promise (or call .then/.catch) and
exit with appropriate status codes on success/failure while logging errors via
console.error; keep the existing module.exports = { validateDependabot } so
tests still import the function.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider replacing Write-Host with Write-Output for better pipeline compatibility.

PSScriptAnalyzer flags Write-Host because it writes directly to the host and cannot be captured, redirected, or suppressed in all environments. For CI pipelines, Write-Output or Write-Information would be more flexible. However, Write-Host is acceptable if this script is intended primarily for interactive use.

♻️ Proposed fix

-Write-Host "Running setup (PowerShell)"
+Write-Output "Running setup (PowerShell)"
 if (!(Test-Path package.json)) {
   Write-Error "package.json not found. Aborting."
   exit 1
 }
-Write-Host "Installing npm dependencies..."
+Write-Output "Installing npm dependencies..."
 npm install
 if ($LASTEXITCODE -ne 0) { Write-Error "npm install failed"; exit $LASTEXITCODE }
-Write-Host "Running tests..."
+Write-Output "Running tests..."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Write-Host "Running setup (PowerShell)"
	if (!(Test-Path package.json)) {
	Write-Error "package.json not found. Aborting."
	exit 1
	}
	Write-Host "Installing npm dependencies..."
	npm install
	if ($LASTEXITCODE -ne 0) { Write-Error "npm install failed"; exit $LASTEXITCODE }
	Write-Host "Running tests..."
	Write-Output "Running setup (PowerShell)"
	if (!(Test-Path package.json)) {
	Write-Error "package.json not found. Aborting."
	exit 1
	}
	Write-Output "Installing npm dependencies..."
	npm install
	if ($LASTEXITCODE -ne 0) { Write-Error "npm install failed"; exit $LASTEXITCODE }
	Write-Output "Running tests..."

🧰 Tools

🪛 PSScriptAnalyzer (1.24.0)

[warning] 2-2: File 'setup.ps1' uses Write-Host. Avoid using Write-Host because it might not work in all hosts, does not work when there is no host, and (prior to PS 5.0) cannot be suppressed, captured, or redirected. Instead, use Write-Output, Write-Verbose, or Write-Information.

(PSAvoidUsingWriteHost)

---

[warning] 7-7: File 'setup.ps1' uses Write-Host. Avoid using Write-Host because it might not work in all hosts, does not work when there is no host, and (prior to PS 5.0) cannot be suppressed, captured, or redirected. Instead, use Write-Output, Write-Verbose, or Write-Information.

(PSAvoidUsingWriteHost)

---

[warning] 10-10: File 'setup.ps1' uses Write-Host. Avoid using Write-Host because it might not work in all hosts, does not work when there is no host, and (prior to PS 5.0) cannot be suppressed, captured, or redirected. Instead, use Write-Output, Write-Verbose, or Write-Information.

(PSAvoidUsingWriteHost)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@setup.ps1` around lines 2 - 10, Replace direct host writes with
pipeline-friendly output: change the three Write-Host calls ("Running setup
(PowerShell)", "Installing npm dependencies...", "Running tests...") to
Write-Output (or Write-Information if you need informational stream semantics)
so messages can be captured/redirected in CI; keep Test-Path, Write-Error, exit
logic and the npm install and $LASTEXITCODE checks unchanged.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider cleaning up the .github directory as well.

The removeConfig function removes the file but leaves the .github directory created by writeConfig. While not critical, consider adding directory cleanup to avoid leaving test artifacts.

♻️ Proposed enhancement

 function removeConfig() {
   const file = path.join(process.cwd(), '.github', 'dependabot.yml');
   if (fs.existsSync(file)) fs.unlinkSync(file);
+  const dir = path.join(process.cwd(), '.github');
+  if (fs.existsSync(dir) && fs.readdirSync(dir).length === 0) {
+    fs.rmdirSync(dir);
+  }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/dependabot.test.js` around lines 13 - 16, The removeConfig helper
currently unlinks the file but leaves the .github directory; update removeConfig
to also remove the .github directory if it is empty after deleting the
dependabot.yml file. In the removeConfig function, after fs.unlinkSync(file)
check the directory path (same as used in writeConfig, e.g.,
path.join(process.cwd(), '.github')) and call fs.rmdirSync or fs.rmSync with
options only when the directory exists and is empty to avoid deleting unrelated
files; ensure errors are handled or ignored safely so tests don't fail.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Add beforeAll cleanup for better test isolation.

Tests rely on a clean state but only clean up in afterAll. If a previous test run failed or was interrupted, stale configs could affect results. Adding beforeAll ensures a clean starting state.

♻️ Proposed fix

 describe('dependabot configuration validation', () => {
+  beforeAll(() => {
+    removeConfig();
+  });
+
   afterAll(() => {
     removeConfig();
   });

Also update the import to include beforeAll:

-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';

Note: beforeAll is already imported but not used.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	describe('dependabot configuration validation', () => {
	afterAll(() => {
	removeConfig();
	});
	describe('dependabot configuration validation', () => {
	beforeAll(() => {
	removeConfig();
	});
	afterAll(() => {
	removeConfig();
	});

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/dependabot.test.js` around lines 18 - 21, Add a beforeAll cleanup to
ensure test isolation by invoking the existing removeConfig() before tests run;
locate the test suite in describe('dependabot configuration validation', ...)
and add a beforeAll(() => { removeConfig(); }) (note beforeAll is already
imported), keeping the current afterAll cleanup intact so tests start and end
with a clean state.

[github-actions]

Hello 👋 This PR has had no activity for more than 2 weeks. If you are still working on it, please push an update or leave a comment. Ping a maintainer if you believe it is ready for review or merge! This PR will be automatically closed in 7 days if there is no further activity.