From 29a0b19a213778fe2cbed6f007fdd3f012adb347 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 5 Jan 2026 11:57:38 -0500 Subject: [PATCH] Group dependabot updates (#4522) * group dependabot updates Signed-off-by: Alex Goodman * use directories key Signed-off-by: Alex Goodman --------- Signed-off-by: Alex Goodman --- .github/dependabot.yml | 45 +++++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4f7d58111..4d2e05c22 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,14 @@ +# Dependabot configuration +# +# Grouping behavior (see inline comments for details): +# - Minor + patch updates: grouped into a single PR per ecosystem +# - Major version bumps: individual PR per dependency +# - Security updates: individual PR per dependency +# +# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes. +# Security updates are identified separately via GitHub's Advisory Database and +# can be any version bump (patch, minor, or major) that fixes a known CVE. + version: 2 updates: @@ -5,23 +16,35 @@ updates: - package-ecosystem: gomod directory: "/" schedule: - interval: "daily" + interval: "weekly" + day: "friday" open-pull-requests-limit: 10 labels: - "dependencies" + groups: + go-minor-patch: + applies-to: version-updates # security updates get individual PRs + patterns: + - "*" + update-types: # major omitted, gets individual PRs + - "minor" + - "patch" - package-ecosystem: "github-actions" - directory: "/" + directories: + - "/" + - "/.github/actions/bootstrap" schedule: - interval: "daily" - open-pull-requests-limit: 10 - labels: - - "dependencies" - - - package-ecosystem: "github-actions" - directory: "/.github/actions/bootstrap" - schedule: - interval: "daily" + interval: "weekly" + day: "friday" open-pull-requests-limit: 10 labels: - "dependencies" + groups: + actions-minor-patch: + applies-to: version-updates # security updates get individual PRs + patterns: + - "*" + update-types: # major omitted, gets individual PRs + - "minor" + - "patch"