From 72207e37225ba1ae5ce44fe8a40485a5533d2d94 Mon Sep 17 00:00:00 2001
From: Alex Gorevski <agorevski@users.noreply.github.com>
Date: Tue, 17 Feb 2026 12:11:31 -0800
Subject: [PATCH] ci(dependabot): add Docker ecosystem monitoring (#633)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem: The Dependabot configuration monitors Cargo and GitHub Actions
dependencies but does not track Docker base image updates. Stale base
images in the Dockerfile can accumulate unpatched vulnerabilities.

Solution: Add a Docker package-ecosystem entry to dependabot.yml that
proposes weekly base image updates, grouped by minor/patch, with a
3-PR concurrency limit. Labels (ci, dependencies) match the existing
GitHub Actions ecosystem entry for consistent triage routing.

Testing: Validated YAML syntax. Dependabot will activate automatically
on the next scheduled scan after merge.

Ref: zeroclaw-labs/zeroclaw#618 (item 1 — Dependency Update Automation)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/dependabot.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1696124..2f88c8e 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -33,3 +33,20 @@ updates:
         update-types:
           - minor
           - patch
+
+  - package-ecosystem: docker
+    directory: "/"
+    schedule:
+      interval: weekly
+    target-branch: main
+    open-pull-requests-limit: 3
+    labels:
+      - "ci"
+      - "dependencies"
+    groups:
+      docker-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - minor
+          - patch
\ No newline at end of file