[codex] Group dependency updates

[michaelmwu]

Summary

• consolidate the open Dependabot GitHub Actions, Python uv, and admin dashboard Bun updates into one branch
• configure Dependabot multi-ecosystem grouping so future version updates arrive as a single dependency-updates PR
• update the Biome schema URL to match the bumped CLI

Validation

• uv sync --locked
• bun install --frozen-lockfile
• ./scripts/test.sh (1829 passed, 20 skipped; dashboard Vitest 11 passed)
• ./scripts/lint.sh
• ./scripts/pyrefly.sh
• git diff --check

Supersedes

Dependabot PRs #306, #309, #311, #312, #313, #314, #315, #316, #325, #327, #328, #338, #339, #340, and #342.

Summary by CodeRabbit

• Chores
  • Updated dependency automation to use a shared schedule and update policy across supported ecosystems.
  • Bumped several development and tooling packages, including app build/lint/test tools and GitHub Actions, to newer versions.
  • Refreshed configuration references for the code quality toolchain.
  • Broadened one test dependency version range to allow a wider set of compatible releases.

[coderabbitai]

Warning

Review limit reached

@michaelmwu, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 37 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 177a97fb-40ff-41a4-98b3-224ebfef1a2d

📥 Commits

Reviewing files that changed from the base of the PR and between abfbdc5 and c0df619.

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/docker-smoke.yml
• .github/workflows/test.yml

📝 Walkthrough

Walkthrough

Centralizes dependabot scheduling into a shared multi-ecosystem-groups entry. Bumps actions/checkout to v7, astral-sh/setup-uv to v8.1.0, and codecov/codecov-action to v7 across CI workflows. Updates admin dashboard devDependencies (Biome, React types, shadcn, Vite, Vitest) and widens the pytest-asyncio constraint in pyproject.toml.

Changes

Dependency and CI Configuration Updates

Layer / File(s)	Summary
Centralize dependabot scheduling .github/dependabot.yml	Adds a multi-ecosystem-groups entry (dependency-updates) with shared daily schedule, cooldown, and commit prefix; refactors all three updates entries to reference it via multi-ecosystem-group.
Bump GitHub Actions versions .github/workflows/test.yml, .github/workflows/docker-smoke.yml	Upgrades actions/checkout v6→v7 and astral-sh/setup-uv v7→v8.1.0 across all jobs; upgrades codecov/codecov-action v6→v7 in the test coverage step.
Bump admin dashboard and Python dev dependencies apps/admin_dashboard/biome.json, apps/admin_dashboard/package.json, pyproject.toml	Updates Biome schema to 2.4.16, bumps devDependencies (Biome, @types/react, shadcn, Vite, Vitest), and widens pytest-asyncio constraint from ~=1.3.0 to >=1.3,<1.5.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

🐇 Hop, hop, versions leap ahead,
Dependabot groups in one bed,
Actions checkout, now on v7,
Dependency bumps feel like heaven,
The rabbit tidied all the YAML with glee! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: grouping dependency updates into one branch.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch michaelmwu/group-dependabot-prs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[Copilot]

Pull request overview

This PR consolidates several Dependabot-driven dependency bumps (GitHub Actions, Python uv/dev deps, and the admin dashboard Bun toolchain) and configures Dependabot to group future updates into a single multi-ecosystem PR. It also aligns the Biome schema URL with the upgraded Biome CLI used by the admin dashboard.

Changes:

• Broadened the pytest-asyncio dev dependency constraint to allow newer compatible releases.
• Bumped admin dashboard dev tooling (Biome, Vite, Vitest, shadcn, React types) and updated the Biome $schema URL accordingly.
• Updated CI workflow action versions and introduced Dependabot multi-ecosystem grouping for consolidated update PRs.

Reviewed changes

Copilot reviewed 6 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pyproject.toml	Relaxes pytest-asyncio version constraint to accept newer releases within the intended minor range.
apps/admin_dashboard/package.json	Bumps dashboard devDependencies (Biome, Vite, Vitest, shadcn, React types).
apps/admin_dashboard/bun.lock	Updates the Bun lockfile to reflect the dashboard dependency bumps.
apps/admin_dashboard/biome.json	Updates Biome schema URL to match the new Biome CLI version.
.github/workflows/test.yml	Updates GitHub Actions used by the main CI workflow (checkout/setup-uv/codecov).
.github/workflows/docker-smoke.yml	Updates actions/checkout version used by the Docker smoke workflow.
.github/dependabot.yml	Adds multi-ecosystem grouping to consolidate future dependency updates into a single PR.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 11-15: The Dependabot config places commit-message under an
updates entry for dependency-updates, but it must live on the multi-ecosystem
group instead. Move the commit-message prefix setting into the
multi-ecosystem-groups.dependency-updates definition and remove the
per-ecosystem copy so the config is valid; use the multi-ecosystem-group and
commit-message keys to find the affected section.

In @.github/workflows/docker-smoke.yml:
- Line 17: The docker-smoke workflow currently uses actions/checkout without
disabling token persistence. Update the checkout step in the docker-smoke job to
set persist-credentials to false so the repository token is not kept around
unnecessarily; locate the fix in the actions/checkout usage within the workflow
and adjust that step only.

In @.github/workflows/test.yml:
- Line 15: The actions/checkout step is leaving credentials persisted on disk
unnecessarily. Update each checkout use in the workflow to set
persist-credentials to false, keeping the existing checkout behavior while
ensuring later steps like installs, tests, linting, and git diff do not retain
repo token credentials. Use the actions/checkout step(s) in the workflow as the
reference point.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7687e608-78cb-47c3-8639-8b36ba710d82

📥 Commits

Reviewing files that changed from the base of the PR and between 60b08c3 and abfbdc5.

⛔ Files ignored due to path filters (2)

• apps/admin_dashboard/bun.lock is excluded by !**/*.lock
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/docker-smoke.yml
• .github/workflows/test.yml
• apps/admin_dashboard/biome.json
• apps/admin_dashboard/package.json
• pyproject.toml