ci(github): add Dependabot configuration for Composer and GitHub Actions

[nanasess]

This pull request adds a new Dependabot configuration file to automate dependency updates for Composer packages and GitHub Actions workflows.

Dependency management automation:

• Added .github/dependabot.yml to enable scheduled weekly updates for Composer dependencies and GitHub Actions, with limits on open pull requests and custom commit message prefixes.

[claude]

Claude finished @nanasess's task —— View job

---

PR Review: Dependabot Configuration

Todo List:

• Read the Dependabot configuration file
• Analyze configuration against best practices
• Check project dependencies and structure for context
• Review security considerations
• Evaluate performance impact
• Provide comprehensive feedback

Review Feedback

This PR adds a well-structured Dependabot configuration that will help keep the project's dependencies up to date. Here's my detailed review:

✅ Code Quality & Best Practices

• Configuration structure: The YAML is well-formatted and follows Dependabot v2 syntax correctly
• Appropriate ecosystems: Correctly targets both composer (PHP dependencies) and github-actions
• Reasonable scheduling: Weekly updates strike a good balance between staying current and avoiding noise
• Commit message conventions: The prefixes deps and ci align well with conventional commit standards

🔍 Specific Configuration Analysis

Composer ecosystem (.github/dependabot.yml:3-10):

• Correctly configured for PHP project with composer.json in root
• Will monitor: phpseclib/phpseclib, phpunit/phpunit, squizlabs/php_codesniffer

GitHub Actions ecosystem (.github/dependabot.yml:12-19):

• Will monitor action versions in .github/workflows/ci.yml: actions/checkout@v4, shivammathur/setup-php@v2

⚠️ Potential Considerations

1. Open PR limit: open-pull-requests-limit: 10 seems reasonable, but could be reduced to 5 for a smaller project to avoid overwhelming maintainers

2. No version constraints: Consider adding versioning-strategy: "increase" to prefer patch/minor updates over major version bumps for more stability

3. No ignore patterns: For a library project, you might want to consider ignoring pre-release versions:

   ignore:
     - dependency-name: "*"
       update-types: ["version-update:semver-major"]  # Only for major version updates if desired

🔒 Security Considerations

• Low risk: Dependabot PRs are safe by design - they only update dependency versions, not add new code
• Good practice: Automated dependency updates help ensure security patches are applied promptly
• Review process: PRs will still require manual review before merging, maintaining security oversight

🏃 Performance Considerations

• Minimal impact: Configuration has no runtime performance impact
• CI efficiency: Weekly schedule prevents excessive CI runs while keeping dependencies current
• Bandwidth: Updates will only occur when new versions are available

📋 Test Coverage

• No direct testing needed: Dependabot configuration doesn't require tests
• Indirect benefit: Updated dependencies will run through existing CI pipeline (PHPUnit tests across PHP 8.1-8.4)
• Validation: Each Dependabot PR will be tested automatically via the CI workflow

🎯 Recommendations

Optional improvements (not blocking):

# Consider adding these options for better control:
versioning-strategy: "increase"  # Prefer smaller version bumps
ignore:
  - dependency-name: "phpunit/phpunit"
    update-types: ["version-update:semver-major"]  # Avoid PHPUnit major updates without review

Minor suggestion: Consider reducing open-pull-requests-limit to 5 for easier management.

✅ Overall Assessment

This is a solid, well-thought-out Dependabot configuration that follows best practices. The configuration is appropriate for a PHP library project and will help maintain security and compatibility. The weekly schedule and commit message formatting show good consideration for maintainer workflow.

Recommendation: ✅ Approve - This change will improve the project's dependency management with minimal risk.

---