feat: Added github.com/dependabot annotation (#2646)

* added github.com/dependabot annotation

* remove const

* Added github.com/dependabot annotation

Author: alizard0

workspaces/scorecard/.changeset/true-toes-allow.md

@@ -0,0 +1,5 @@
+---
+'@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-dependabot': patch
+---
+
+Added github.com/dependabot annotation

workspaces/scorecard/examples/components/dependabot-scorecard-only.yaml

@@ -6,6 +6,7 @@ metadata:
   name: dependabot-scorecard-only
   annotations:
     github.com/project-slug: redhat-developer/rhdh-plugins
+    github.com/dependabot: 'true'
     backstage.io/source-location: url:https://github.com/redhat-developer/rhdh-plugins
 spec:
   type: service

workspaces/scorecard/plugins/scorecard-backend-module-dependabot/README.md

@@ -4,6 +4,6 @@ Adds Dependabot alerts as a scorecard metric (`dependabot.alerts`, 0–9 from se
 
 **Install:** `yarn workspace backend add @red-hat-developer-hub/backstage-plugin-scorecard-backend-module-dependabot` then `backend.add(import('@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-dependabot'))`.
 
-**Setup:** Entities need `github.com/project-slug: owner/repo`. GitHub token must have `security_events` (or Dependabot read) so the backend can call the Dependabot API.
+**Setup:** Entities need `github.com/project-slug: owner/repo` and `github.com/dependabot: 'true'` (exact string) to opt in. GitHub token must have `security_events` (or Dependabot read) so the backend can call the Dependabot API.
 
 **How it works:** **DependabotClient** fetches open alerts from the GitHub API (by severity, with pagination). **DependabotMetricProvider** (one per severity) uses the client to score entities. The **factory** (`createDependabotMetricProvider` / `createDependabotMetricProviders`) builds single or all-four providers; the module registers the four (critical, high, medium, low) with the scorecard backend.

workspaces/scorecard/plugins/scorecard-backend-module-dependabot/src/metricProviders/DependabotMetricProvider.test.ts

@@ -130,7 +130,7 @@ describe('DependabotMetricProvider', () => {
   });
 
   describe('getCatalogFilter', () => {
-    it('requires github.com/project-slug annotation', () => {
+    it('requires project-slug and dependabot annotation value true', () => {
       const provider = new DependabotMetricProvider(
         mockConfig,
         mockLogger,
@@ -140,6 +140,7 @@ describe('DependabotMetricProvider', () => {
       expect(
         filter['metadata.annotations.github.com/project-slug'],
       ).toBeDefined();
+      expect(filter['metadata.annotations.github.com/dependabot']).toBe('true');
     });
   });
 

workspaces/scorecard/plugins/scorecard-backend-module-dependabot/src/metricProviders/DependabotMetricProvider.ts

@@ -88,6 +88,7 @@ export class DependabotMetricProvider implements MetricProvider<'number'> {
   getCatalogFilter(): Record<string, string | symbol | (string | symbol)[]> {
     return {
       'metadata.annotations.github.com/project-slug': CATALOG_FILTER_EXISTS,
+      'metadata.annotations.github.com/dependabot': 'true',
     };
   }