Add dependabot configuration to bump Stream conventions

[gpunto]

Goal

Add dependabot configuration so that PRs bumping Stream conventions will be created automatically by dependabot.

Implementation

Add .github/dependabot.yml with configuration to only update workflows/actions & stream plugins

Testing

We'll enable dependabot in the repo settings & check that PRs are opened properly

Checklist

• Issue linked (if any)
• Tests/docs updated
• I have signed the Stream CLA (required for external contributors)

Summary by CodeRabbit

• Chores
  • Configured automated daily dependency update checks for GitHub Actions and Gradle ecosystem dependencies.

[github-actions]

PR checklist ✅

All required conditions are satisfied:

• Title length is OK (or ignored by label).
• At least one pr: label exists.
• Sections ### Goal, ### Implementation, and ### Testing are filled.

🎉 Great job! This PR is ready for review.

[github-actions]

SDK Size Comparison 📏

SDK	Before	After	Difference	Status
stream-feeds-android-client	2.52 MB	2.52 MB	0.00 MB	🟢

[coderabbitai]

Walkthrough

A new Dependabot configuration file is introduced to enable automated dependency checks running daily across two ecosystems: GitHub Actions and Gradle. For Gradle, updates are allowlisted to only io.getstream.* dependencies.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Introduces daily dependency update checks for github-actions and gradle ecosystems, restricting Gradle updates to io.getstream.* artifacts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Dependabot hops with joy today,
Checking versions every single way,
GitHub Actions and Gradle streams,
Keeping your dependencies in dreams! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add dependabot configuration to bump Stream conventions' directly and clearly summarizes the main change—adding a Dependabot configuration file for automated dependency updates.
Description check	✅ Passed	The pull request description includes all required sections from the template (Goal, Implementation, Testing, Checklist) with substantive content addressing the purpose, approach, and verification plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/dependabot.yml (1)

13-20: ⚠️ Potential issue | 🟠 Major

Gradle dependency allowlist format mismatch will block Maven dependency updates.

Lines 13–20 use plugin-style names (dots: io.getstream.project, io.getstream.android.library), but actual Maven dependencies in gradle/libs.versions.toml use colon format (io.getstream:stream-android-core-annotations, io.getstream:stream-android-core). Dependabot's dependency-name for Gradle matches dependency names in manifests, which are Maven coordinates. The current allowlist will not match these dependencies, preventing PRs from being opened.

Update the allow rules to match Maven coordinate style:

Suggested fix

     allow:
-      - dependency-name: "io.getstream.project"
-      - dependency-name: "io.getstream.android.library"
-      - dependency-name: "io.getstream.android.application"
-      - dependency-name: "io.getstream.android.test"
-      - dependency-name: "io.getstream.java.library"
-      - dependency-name: "io.getstream.java.platform"
-      - dependency-name: "io.getstream.publish"
+      - dependency-name: "io.getstream:*"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/dependabot.yml around lines 13 - 20, The dependabot allowlist uses
plugin-style names (io.getstream.project, io.getstream.android.library, etc.)
that don't match Maven coordinates in gradle/libs.versions.toml; update the
dependency-name entries (the lines currently containing io.getstream.project,
io.getstream.android.library, io.getstream.android.application,
io.getstream.android.test, io.getstream.java.library,
io.getstream.java.platform, io.getstream.publish) to Maven coordinate style or a
group wildcard so Dependabot can match Gradle/Maven deps (for example replace
each plugin-style entry with either the exact Maven coordinates used in
libs.versions.toml like "io.getstream:stream-android-core-annotations" /
"io.getstream:stream-android-core" etc., or use a group wildcard
"io.getstream:*" to allow all io.getstream artifacts).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/dependabot.yml:
- Around line 13-20: The dependabot allowlist uses plugin-style names
(io.getstream.project, io.getstream.android.library, etc.) that don't match
Maven coordinates in gradle/libs.versions.toml; update the dependency-name
entries (the lines currently containing io.getstream.project,
io.getstream.android.library, io.getstream.android.application,
io.getstream.android.test, io.getstream.java.library,
io.getstream.java.platform, io.getstream.publish) to Maven coordinate style or a
group wildcard so Dependabot can match Gradle/Maven deps (for example replace
each plugin-style entry with either the exact Maven coordinates used in
libs.versions.toml like "io.getstream:stream-android-core-annotations" /
"io.getstream:stream-android-core" etc., or use a group wildcard
"io.getstream:*" to allow all io.getstream artifacts).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 26dd84b3-e7d1-4cde-92db-736e36522c3b

📥 Commits

Reviewing files that changed from the base of the PR and between c1abb69 and 1344815.

📒 Files selected for processing (1)

• .github/dependabot.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud