chore(ci): add Dependabot config and least-privilege workflow permissions

igerber · claude · igerber · commit 29f436883b8d · 2026-04-25T16:16:13.000-04:00
- Add .github/dependabot.yml covering pip (root), cargo (rust/), and
  github-actions ecosystems on a weekly schedule. Minor/patch updates
  group into one PR per ecosystem; major bumps stay individual.
- Declare workflow-scoped `permissions: contents: read` on ci-gate,
  notebooks, and rust-test workflows so they don't silently inherit
  broader scopes if the repo default is ever changed.

publish.yml and ai_pr_review.yml already declare per-job permissions
and are unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,46 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "python"
+    groups:
+      python-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "cargo"
+    directory: "/rust"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "rust"
+    groups:
+      rust-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"
+    groups:
+      actions-minor-patch:
+        update-types:
+          - "minor"
+          - "patch"
diff --git a/.github/workflows/ci-gate.yml b/.github/workflows/ci-gate.yml
@@ -5,6 +5,9 @@ on:
     branches: [main]
     types: [opened, synchronize, reopened, labeled, unlabeled]
 
+permissions:
+  contents: read
+
 jobs:
   ci-gate:
     name: CI Gate
diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml
@@ -20,6 +20,9 @@ on:
     # Weekly Sunday 6am UTC — smoke test that notebooks still execute cleanly
     - cron: '0 6 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   execute-notebooks:
     name: Execute tutorial notebooks
diff --git a/.github/workflows/rust-test.yml b/.github/workflows/rust-test.yml
@@ -19,6 +19,9 @@ on:
       - 'pyproject.toml'
       - '.github/workflows/rust-test.yml'
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
 
