ci: auto-update the macros submodule via Dependabot

[d-morrison]

Summary

Adds a Dependabot config so the macros submodule is bumped automatically instead of by hand.

This template embeds macros as a submodule (tracking main). Dependabot's gitsubmodule updater opens a PR whenever that branch advances, removing the manual git submodule update --remote + commit step.

Why this (and not a sliding tag)

Follow-through on the ADR in d-morrison/macros: a sliding tag/branch wouldn't remove the manual bump, because a submodule gitlink only advances when a consumer updates and commits it. Dependabot is the automation that actually closes that loop — and it tracks a branch (main), the only ref that --remote-style tracking can follow.

Template note

Because this is a template, the config propagates to books generated from it via "Use this template" — so downstream books also get hands-off macros updates. It adds no package/extension dependency, only a .github/dependabot.yml.

Config

package-ecosystem: "gitsubmodule"
directory: "/"
schedule: { interval: "weekly" }

🤖 Generated with Claude Code

https://claude.ai/code/session_01DrceBhXtcKRFaPPEMwxAZN

---

Generated by Claude Code

[claude]

Claude finished @d-morrison's task in 1m 27s —— View job

---

Code Review — PR #117

• Gather context (read changed file, .gitmodules, CI config)
• Review .github/dependabot.yml for correctness and completeness
• Post inline comments where applicable
• Post summary verdict

---

Verdict: Clean ✓

The config is correct and well-motivated. YAML is valid, version: 2 is properly set, directory: "/" matches the submodule location, and the comment block clearly explains the design rationale. The chore(submodule) commit-message prefix is a sensible conventional-commit label for the auto-generated bump PRs.

One optional non-blocking suggestion posted inline: since the repo's workflows already reference several third-party Actions at pinned major versions, this is a natural moment to also add a github-actions ecosystem entry and get those pins bumped automatically too.

[Copilot]

Pull request overview

This PR adds a Dependabot configuration to automatically open PRs when the macros git submodule advances, reducing manual submodule bump/commit work in this template and downstream repos generated from it.

Changes:

• Add .github/dependabot.yml configuring Dependabot’s gitsubmodule updater to run weekly for the repository root.
• Customize Dependabot PR commit message prefix to chore(submodule).

[claude]

The repo's workflows use a number of third-party Actions at pinned major versions (actions/checkout@v4, r-lib/actions/setup-r@v2, quarto-dev/quarto-actions/setup@v2, etc.). Now that dependabot.yml exists, adding a github-actions ecosystem entry here is zero extra effort and keeps action pins current automatically:

Suggested change

	prefix: "chore(submodule)"
	commit-message:
	prefix: "chore(submodule)"
	- package-ecosystem: "github-actions"
	directory: "/"
	schedule:
	interval: "weekly"
	commit-message:
	prefix: "chore(actions)"

Not a blocker — just a natural complement to the submodule entry.

[d-morrison]

Good idea, but I'm keeping this PR scoped to the submodule automation that was requested. A github-actions ecosystem entry is a separate (also reasonable) kind of update that would start opening action-bump PRs across this template and every repo generated from it, so it's worth deciding on deliberately rather than bundling it in here. Easy to add as a follow-up if you'd like it — the snippet above is exactly right.

---

Generated by Claude Code

[claude]

Claude finished @d-morrison's task in 1m 30s —— View job

---

Code Review — PR #117

• Gather context (read changed file, .gitmodules, existing workflows)
• Review .github/dependabot.yml for correctness and completeness
• Post inline comments where applicable
• Post summary verdict

---

Verdict: Clean ✓

The config is correct and well-formed. version: 2, directory: "/", weekly cadence, and the chore(submodule) conventional-commit prefix all look good.

The comment wording — "submodule's default branch (currently main)" — correctly reflects that Dependabot follows the upstream's default branch, not a hardcoded branch = entry in .gitmodules (there isn't one). This addresses the concern raised in the Copilot review.

One optional inline suggestion posted: add a github-actions ecosystem entry while the file is being created. It would automatically bump the version-pinned actions (including the mixed actions/checkout@v4/@v5 across workflows) — the two @HEAD pins are pre-existing and out of Dependabot's reach regardless.

[claude]

The gitsubmodule entry is correct. Since dependabot.yml now exists, adding a github-actions entry would also keep the workflow action pins current with zero extra maintenance cost:

Suggested change

	prefix: "chore(submodule)"
	commit-message:
	prefix: "chore(submodule)"
	- package-ecosystem: "github-actions"
	directory: "/"
	schedule:
	interval: "weekly"
	commit-message:
	prefix: "chore(actions)"

Note: the two @HEAD pins in existing workflows (quarto-dev/quarto-actions/setup@HEAD, r-lib/actions/setup-r-dependencies@HEAD) are unversioned and Dependabot won't touch them — but it would bump all the @v2/@v4 pins, including resolving the mixed actions/checkout@v4 vs @v5 across workflows. Non-blocking.

[github-actions]

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-06-20 00:48 PDT