fix(deps): remove dependabot ecosystems for test-only fixtures

[soul2zimate]

fix(deps): remove dependabot ecosystems for test-only fixtures

Removes gradle, npm, pip, and gomod package ecosystems that only scan test fixtures where exclude-paths isn't working, preventing unwanted PRs like #335 for non-project dependencies.

[qodo-code-review]

Review Summary by Qodo

Remove unused Dependabot package ecosystems for test fixtures

🐞 Bug fix

Walkthroughs

Description

• Remove unused Dependabot ecosystems (gradle, npm, pip, gomod)
• Prevent unwanted dependency update PRs for test fixtures
• Keep only Maven and GitHub Actions ecosystems active

Diagram

flowchart LR
  A["Dependabot Config"] -- "Remove gradle, npm, pip, gomod" --> B["Maven + GitHub Actions only"]
  B -- "Prevents test fixture PRs" --> C["Cleaner dependency updates"]

Loading

File Changes

1. .github/dependabot.yml ⚙️ Configuration changes +0/-24

Remove unused Dependabot package ecosystems

• Removed gradle package ecosystem configuration
• Removed npm package ecosystem configuration
• Removed pip package ecosystem configuration
• Removed gomod package ecosystem configuration
• Retained maven and github-actions ecosystems

.github/dependabot.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Ecosystem updates removed 🐞 Bug ⛯ Reliability

Description

Dependabot will no longer open update PRs for Gradle/Node/Python/Go modules in this repo. This
matches the current repo layout where those manifests are used as test fixtures, but it should be
documented because future additions of real Gradle/npm/pip/gomod projects would not get Dependabot
coverage until entries are re-added.

Code

.github/dependabot.yml[L9-32]

-  - package-ecosystem: "gradle"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    exclude-paths:
-      - "src/test/**"
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    exclude-paths:
-      - "src/test/**"
-  - package-ecosystem: "pip"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    exclude-paths:
-      - "src/test/**"
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    exclude-paths:
-      - "src/test/**"

Evidence

Dependabot is now configured only for Maven and GitHub Actions. The repository build is Maven-based
(root pom.xml), while Gradle/JS/Python/Go manifests are referenced by tests from
src/test/resources/tst_manifests, indicating they are fixtures rather than build inputs for this
repo.

.github/dependabot.yml[1-12]
pom.xml[1-12]
src/test/java/io/github/guacsec/trustifyda/providers/Gradle_Provider_Test.java[36-71]
src/test/java/io/github/guacsec/trustifyda/providers/Javascript_Provider_Test.java[42-71]
src/test/java/io/github/guacsec/trustifyda/providers/Python_Provider_Test.java[55-68]
src/test/java/io/github/guacsec/trustifyda/providers/Golang_Modules_Provider_Test.java[63-72]
README.md[168-175]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Dependabot entries for gradle/npm/pip/gomod were removed to avoid PRs for test-fixture manifests. Without an explicit note, future maintainers may incorrectly assume those ecosystems are still covered.

### Issue Context
The repository supports analyzing multiple ecosystems, and tests load sample manifests from `src/test/resources/tst_manifests/**`, but the actual build is Maven-based.

### Fix Focus Areas
- .github/dependabot.yml[1-12]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more