add dependabot

[kpj2006]

Dependabot only runs for ecosystems whose dependency files are present in the repository.
If a dependency ecosystem is not used (e.g., no Cargo.toml, go.mod, etc.), no PRs or notifications are triggered for them.

Any reviewers or assignees entries are best-effort and are silently ignored by GitHub if the referenced team does not exist in the target repository.(for now we didn't have maintainer architecture hence it ignore it for now)

Code review is handled by GitHub’s CODEOWNERS (.github/CODEOWNERS) by default.
This ensures correct reviewers are automatically requested without hard-coding org-specific teams in the template.

Maintainers can customize or remove reviewer/assignee settings once the repository’s maintainer structure is finalized.

Summary by CodeRabbit

• Chores
  • Enabled automated weekly dependency updates across many ecosystems (npm, Actions, Docker, Python, Java, Rust, Go, PHP, .NET, Terraform, etc.), with PR limits, dependency-tracking labels, standardized branch naming and chore(deps) commit prefixes; excludes major upgrades for selected Python ML libraries.
• Chores
  • Added repository code-ownership entries to designate maintainers for review routing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds two new GitHub configuration files: a repository-wide Dependabot policy enabling weekly dependency updates across many ecosystems with standardized PR metadata and branch naming, and a CODEOWNERS file assigning maintainers.

Changes

Cohort / File(s)	Summary
Dependabot configuration /.github/dependabot.yml	New Dependabot config enabling weekly updates (Monday 09:00) for many ecosystems (npm, GitHub Actions, Docker, Bundler, Cargo, Maven, Gradle, Composer, Go modules, Poetry, Terraform, Pub, NuGet, pip, etc.), PR limit 5, reviewers/assignees set to Maintainers group, dependency labels, commit-message prefix chore(deps) with scope inclusion, branch naming using /, and pip ignore rules blocking major updates for tensorflow, torch, and scikit-learn.
Code owners /.github/CODEOWNERS	Adds CODEOWNERS file listing repository maintainers (kpj2006, Zahnentferner) as owners.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐇 I nudged two files into the yard,
Weekly checks now run on guard,
PRs labeled, branches neat,
Owners set — a tidy feat.
I twitch my nose and hop—how hard?

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'add dependabot' directly matches the main changes in the PR—adding Dependabot configuration files (.github/dependabot.yml and .github/CODEOWNERS).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5e516bd and e595daf.

📒 Files selected for processing (1)

• .github/CODEOWNERS

🔇 Additional comments (1)

.github/CODEOWNERS (1)

1-5: LGTM—well-structured template CODEOWNERS file.

The file provides clear documentation and a straightforward template for repository maintainers to customize. The wildcard pattern * and dual ownership are appropriate defaults, and the template placeholder comment correctly guides future customization.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1df0dcd and 8237844.

📒 Files selected for processing (2)

• .github/CODEOWNERS
• .github/dependabot.yml

🔇 Additional comments (1)

.github/dependabot.yml (1)

1-274: Configuration is well-structured for a template repository.

The file establishes a comprehensive Dependabot setup across multiple ecosystems with consistent scheduling, commit message conventions, and labeling. The broad coverage is appropriate for a template, and as documented in the PR description, Dependabot will silently skip ecosystems without corresponding dependency files. The use of AOSSIE-Org/maintainers as a placeholder is acknowledged and will defer to CODEOWNERS; this is reasonable for a template repository awaiting maintainer structure definition.

[Zahnentferner]

We do have a problem where many of our repos are lacking reliable maintainers.

A CODEOWNERS file could potentially help with this. But I am not entirely convinced.

Isn't it possible to automatically infer the code owners from the previous contributors?

We have the convention of having, for every project P, a team with the same name P. Wouldn't it be possible to automatically assign ownership of project P to the team P?

Otherwise, I am afraid that CODEOWNERS could become another bureaucratic boilerplate.

What we really need, I think, is a workflow that automatically assigns open PRs in a project P to be reviewed to members of team P and notifies them of this assignment. This would hopefully help in encouraging them to maintain the code.