[infra] Fix Dependabot Go module directory

[nurockplayer]

什麼改動

修正 Go module 的 Dependabot directory，從已不存在的 /backend 改成目前實際的 /services/api，並同步更新 Dependabot policy 與 GitHub Actions 補強路線文件。

為什麼

refs #208

PR #482 的路線文件列出 PR A：Dependabot Go module directory drift。repo 現況的 Go module 位於 services/api/go.mod，舊的 backend/ 路徑不存在，會讓 Go Dependabot 無法正確掃描。

Release Context

• Release type：n/a

Workflow Type

• Small / Medium
• Test-Driven / Debug Loop
• Architecture / High Risk

Scope 對齊

• Source of truth：[initiative][infra] 正式化 CI 與上線維護品質閘門 #208
• Depends on PR：none
• Backend contract already in develop:
  • yes
  • no
• If no, this PR is:
  • stacked on dependency branch
  • intentionally blocked until dependency merges
• 本 PR 是否完全在 source of truth 範圍內？
  • 是
  • 否，已另開 issue / PR 處理超出部分
• 本 PR 明確不做：
  • 不新增 GitHub Actions workflow。
  • 不修改 Dependabot update cadence、grouping 或 auto-merge policy。
  • 不處理其他 security scanner / workflow health check / migration guard 後續 PR。

PR 拆分檢查

• 這個 PR 的單一句子目的：
  • 修正 Go Dependabot 的 module directory，使其指向 services/api。
• Approx changed lines：~10
• 本 PR 是否可獨立 review，不需要理解未合併的其他 PR？
  • 是
  • 否，原因：
• 本 PR 是否同時包含以下多個層級？
  • migration / schema
  • backend domain service
  • API handler / router
    • 已執行 swag init 並將 services/api/docs/ 變更一起 commit
  • frontend integration
  • tests
  • docs
  • refactor / cleanup
• 若勾選兩項以上，為什麼這些變更需要放在同一個 PR？
  • n/a
• 若已拆分，相關 PR：
  • [infra] GitHub Actions 補強路線文件 #482

Acceptance Criteria

• .github/dependabot.yml 的 gomod directory 指向 /services/api。
• Dependabot policy 文件中的 Go module path 與 services/api/go.mod 一致。
• GitHub Actions 補強路線文件不再把此 drift 寫成 merge 後仍存在的現況。

超出範圍內容

無。

測試方式

• 本地測試過
• 有寫 / 更新測試

驗證結果

ruby -e "require 'yaml'; data = YAML.safe_load(File.read('.github/dependabot.yml'), permitted_classes: [], aliases: false); dirs = data.fetch('updates').map { |u| u.fetch('directory') }; abort('missing /services/api') unless dirs.include?('/services/api'); abort('still has /backend') if dirs.include?('/backend'); dirs.each { |d| path = d.sub(%r{\A/}, ''); abort(\"missing directory #{d}\") unless Dir.exist?(path) }; puts dirs.join('\n')"
# /services/api
# /apps/dashboard
# /apps/extension

git diff --cached --check
# exit 0，沒有 whitespace error

備註

這是 PR #482 路線文件中的 PR A。後續 auto-ready、workflow health check、security scan、migration guard 仍應拆成獨立 PR。

Notes for Claude Code Review

• 請確認 Dependabot 的 gomod directory 是否應維持 /services/api，以及 policy 文件是否還有 active /backend reference。
• plans/github-actions-enhancements.md 只把原本 drift 改成 PR A 前的背景紀錄，沒有修改後續實作順序。

Summary by CodeRabbit

• 文档

  • 更新了依赖管理政策文档，确保配置信息准确一致。
  • 更新了GitHub Actions增强计划，记录并解决配置一致性问题。

• 配置

  • 调整了依赖监控配置，确保依赖追踪准确无误。

[github-actions]

PR Scope Police

• PASS: scope checks passed.

Snapshot

• Mode: standard PR
• Docs/template/metadata only: no
• Changed files: 3
• Diff lines (+/-): 20
• Product surfaces: none
• Dependency blocked: no
• Auto-close triggered: no
• Auto-close label: scope-violation
• Dependency block label: blocked-by-dependency
• Bypass label: scope-exception

[coderabbitai]

Warning

Rate limit exceeded

@nurockplayer has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 35 minutes and 57 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 43b76fc8-ed1a-475c-b2eb-8e1c4dad5083

📥 Commits

Reviewing files that changed from the base of the PR and between 812d34a and fdb6457.

📒 Files selected for processing (1)

• plans/github-actions-enhancements.md

Walkthrough

此 PR 將 Dependabot 設定和相關文檔更新，以改正 Go module 監控目錄的配置漂移。Dependabot 的 gomod 更新目標、依賴更新政策文檔及實施計畫均修正為指向 /services/api，而非 /backend。

Changes

Dependabot 設定目錄修正

Layer / File(s)	Summary
設定更新 .github/dependabot.yml	Dependabot gomod 套件生態系統的監控 directory 從 /backend 改為 /services/api。
政策文檔同步 docs/dependabot-update-policy.md	週一 09:00 排程和 Go 模組分組規則均更新為指向 /services/api 而非 /backend。
實施計畫記錄 plans/github-actions-enhancements.md	新增「Dependabot Go module 目錄漂移」問題文檔，記錄此設定不一致狀況及修復建議。

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 分鐘

Possibly related PRs

• [infra] CI 優化：backend unit test 改用 native Go，移除 artifact roundtrip #438：同樣修改 CI/設定參考以指向 services/api 下的 Go module，而非 /backend。

Suggested labels

needs-codex-review

Suggested reviewers

• Erick52106

Poem

🔧 目錄終於找到家，
/services/api 不再差，
設定文檔齊步走，
Dependabot 眼睛亮了透，
漂移消散在晨曦中。✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Pull request 標題清楚地概括了主要變更：修正 Dependabot Go 模組目錄從 /backend 改為 /services/api，與實際代碼更改內容相符。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dependabot-go-directory

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 35 minutes and 57 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

plans/github-actions-enhancements.md (1)

39-51: 💤 Low value

plans/ 文件中 PR A 自身修改範圍未完整列出

Lines 286–287（「PR A：Dependabot directory drift」驗收說明）的「修改」欄位只列了 .github/dependabot.yml 和 docs/dependabot-update-policy.md，但本 PR 同時也修改了 plans/github-actions-enhancements.md 本身。若未來有人核對 PR A 的 commit scope 與文件描述，可能會出現小落差。

這屬於 plans 文件的自描述問題，不影響任何執行邏輯，僅供參考。

📝 可選的補充

 修改：

 - `.github/dependabot.yml`
 - `docs/dependabot-update-policy.md`
+- `plans/github-actions-enhancements.md`（本段背景紀錄）

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plans/github-actions-enhancements.md` around lines 39 - 51, Update the
self-description in the "PR A：Dependabot directory drift" section of
plans/github-actions-enhancements.md to explicitly list that PR A also modifies
plans/github-actions-enhancements.md itself (in addition to
.github/dependabot.yml and docs/dependabot-update-policy.md); locate the "PR
A：Dependabot directory drift" acceptance/changes lines and add/adjust the "修改"
entry so the file plans/github-actions-enhancements.md is included to keep the
PR scope accurate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@plans/github-actions-enhancements.md`:
- Around line 39-51: Update the self-description in the "PR A：Dependabot
directory drift" section of plans/github-actions-enhancements.md to explicitly
list that PR A also modifies plans/github-actions-enhancements.md itself (in
addition to .github/dependabot.yml and docs/dependabot-update-policy.md); locate
the "PR A：Dependabot directory drift" acceptance/changes lines and add/adjust
the "修改" entry so the file plans/github-actions-enhancements.md is included to
keep the PR scope accurate.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ebcf04c0-99e0-43f3-bad4-504fccd32205

📥 Commits

Reviewing files that changed from the base of the PR and between 261ed3f and 812d34a.

📒 Files selected for processing (3)

• .github/dependabot.yml
• docs/dependabot-update-policy.md
• plans/github-actions-enhancements.md

[Erick52106]

已重新檢查最新 head 與目前 diff。先前提到的文件一致性問題已修正，目前只剩非阻塞 nit，不影響合併。