From cad12dc4f251d1f3f135be00a30178e9b37c148a Mon Sep 17 00:00:00 2001
From: Alexey Romanov <alexey.v.romanov@gmail.com>
Date: Sun, 30 Nov 2025 12:51:07 +0000
Subject: [PATCH] Dependabot config

---
 .github/dependabot.yml       | 67 ++++++++++++++++++++++++++++++++++++
 docs/MONOREPO_MERGER_PLAN.md | 51 +++++++++++++++++++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..0a8e5c20ab
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,67 @@
+# Dependabot configuration
+# - Only security updates (version updates disabled via open-pull-requests-limit: 0)
+# - Dependencies grouped within each ecosystem/directory
+# - 3-day minimum release age for new versions (so they can't be unpublished in NPM)
+#
+# Note: For pnpm workspaces (root /), all workspace packages are updated together.
+# Separate directories with their own lock files get separate PRs.
+
+version: 2
+
+updates:
+  # NPM/PNPM packages - root workspace (covers packages/react-on-rails, etc.)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    # Disable version update PRs - only security updates will be created
+    open-pull-requests-limit: 0
+    cooldown:
+      default-days: 3
+    groups:
+      npm-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # Ruby gems - Open source gem
+  - package-ecosystem: "bundler"
+    directory: "/react_on_rails"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    cooldown:
+      default-days: 3
+    groups:
+      bundler-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # Ruby gems - Pro gem
+  - package-ecosystem: "bundler"
+    directory: "/react_on_rails_pro"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    cooldown:
+      default-days: 3
+    groups:
+      bundler-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0
+    cooldown:
+      default-days: 3
+    groups:
+      actions-security:
+        applies-to: security-updates
+        patterns:
+          - "*"
diff --git a/docs/MONOREPO_MERGER_PLAN.md b/docs/MONOREPO_MERGER_PLAN.md
index 75504e8875..8c6f0e4aac 100644
--- a/docs/MONOREPO_MERGER_PLAN.md
+++ b/docs/MONOREPO_MERGER_PLAN.md
@@ -476,6 +476,9 @@ After the initial merge, the following CI adjustments may be needed:
 - [ ] Remove empty `react_on_rails_pro/` directory
 - [ ] Update all require paths in Ruby code
 - [ ] Update gemspec file paths and dependencies
+- [ ] **Update `.github/dependabot.yml`** to reflect final directory structure:
+  - Remove `/react_on_rails_pro` bundler entry (directory no longer exists)
+  - Update bundler directory from `/react_on_rails` to `/` (root now has both gemspecs)
 
 **License Compliance:**
 
@@ -660,10 +663,12 @@ After the initial merge, the following CI adjustments may be needed:
 ### Critical License Rules
 
 1. **Directory Classification:**
+
    - **MIT Licensed:** `lib/react_on_rails/` (including specs), `packages/react-on-rails/` (including tests)
    - **Pro Licensed:** All directories explicitly listed in LICENSE.md under "React on Rails Pro License"
 
 2. **LICENSE.md Updates:**
+
    - Must be updated whenever pro directories are moved or renamed
    - Must accurately reflect current directory structure
    - Pro directories must be explicitly listed
@@ -741,6 +746,52 @@ license-compliance:
       run: ruby script/check-license-compliance.rb
 ```
 
+## Configuration Files
+
+When directories are moved or renamed during the merger, the following configuration files must be updated to reflect the new structure:
+
+| File                     | What to Update                                  |
+| ------------------------ | ----------------------------------------------- |
+| `.github/dependabot.yml` | `directory:` entries for bundler/npm ecosystems |
+| `.rubocop.yml`           | Exclusion patterns                              |
+| `eslint.config.ts`       | Ignore patterns                                 |
+| `.prettierignore`        | Ignored directories                             |
+| `knip.ts`                | Ignore patterns                                 |
+
+### Dependabot Configuration
+
+The `.github/dependabot.yml` file configures automated security updates. It must be kept in sync with the repository structure.
+
+**Current Configuration (Pre-Phase 6):**
+
+```yaml
+# Bundler entries
+- directory: '/react_on_rails' # Open source gem
+- directory: '/react_on_rails_pro' # Pro gem
+
+# NPM entries
+- directory: '/' # Root pnpm workspace
+- directory: '/spec/react_on_rails/dummy-for-generators' # Yarn-based generator dummy
+```
+
+**Final Configuration (Post-Phase 6):**
+
+```yaml
+# Bundler entries
+- directory: '/' # Root now contains both gemspecs
+
+# NPM entries (unchanged)
+- directory: '/'
+- directory: '/spec/react_on_rails/dummy-for-generators'
+```
+
+**When to Update dependabot.yml:**
+
+- When Gemfile locations change
+- When package.json files are added/moved/removed
+- When new workspaces are added
+- When directories containing lock files are restructured
+
 ## Risk Management
 
 ### High-Risk Phases