tooling: disable dependabot on archived evalops repos (archival-rot cleanup)

[haasonsaas]

Problem

Dependabot continues to open PRs on archived repos. Archived repos are read-only — the PRs can't be merged, commented on, or closed without briefly unarchiving. They accumulate indefinitely in org-wide tooling (ship-digest-style views, the stuck-PR list, dependency-dashboard summaries).

Current state (2026-04-23)

• 22 archived repos under evalops/* (from the 2026-04-20 monorepo consolidation wave — identity, governance, meter, audit, approvals, registry, asb, siphon, gate, notifications, prompts, skills, objectives, parker, connectors, keys, agent-mcp, et al., all folded into evalops/platform/internal/*).
• Today 4 stranded dependabot PRs already exist on evalops/agent-mcp:
  • agent-mcp#46 actions/setup-go 5.6.0 → 6.4.0
  • agent-mcp#47 evalops-internal group (2 updates)
  • agent-mcp#48 nats.go 1.50.0 → 1.51.0
  • agent-mcp#49 connectrpc 1.19.1 → 1.19.2
• Attempting gh pr merge / gh pr comment on any of them returns:

  Repository was archived so is read-only and unable to create comment because issue is locked

• Expect similar buildup on the other 21 archived repos over the coming weeks.

Why this isn't self-healing

• Dependabot doesn't read archived=true from the repo API before running.
• There is no manual maintainer interaction available on archived repos, so the PRs can't be closed through the normal workflow.
• Auto-archival of stale PRs doesn't touch them because they keep getting rebased into "recent activity" by dependabot itself (ironically).

Proposed fix

Any one of these resolves it:

1. Org-level dependabot disablement — in GitHub's org → Code security settings, turn off Dependabot version updates and security updates for archived repositories. Single toggle, covers all 22 + future archives.
2. Per-repo .github/dependabot.yml deletion before archival — update the pre-archive checklist to include "remove .github/dependabot.yml before archiving." Catches future cases but requires backfill for the 22 already archived.
3. Short-lived unarchive → close PRs → re-archive — one-time backfill for the 4 current stranded PRs. Doesn't prevent recurrence.

Recommended: (1) + (2). (1) handles the backlog immediately and catches all future archivals; (2) adds a cultural checkpoint so the issue doesn't regress when someone archives from the CLI without going through the UI setting.

Acceptance criteria

• Dependabot disabled on all 22 currently archived evalops/* repos (no new PRs appearing in them for a week after the change).
• Pre-archive checklist in the repo-template or archival runbook includes "remove .github/dependabot.yml" (or equivalent).
• The 4 current stranded agent-mcp PRs closed (one-time cleanup via brief unarchive, or left to expire).
• Org-wide PR lists (dashboards, ship-digest-style tools) no longer surface archived-repo PRs.

Related

• Repo list with archived=true on 2026-04-23: 22 repos.
• The archival wave itself was the 2026-04-20 consolidation; each repo's description was rewritten to "Archived: <name> now lives only in evalops/platform.".