Group dependabot updates (#4522)

* group dependabot updates Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * use directories key Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-02-12 02:26:42 +01:00 · 2026-01-05 11:57:38 -05:00 · 2026-01-05 11:57:38 -05:00 · 29a0b19a21
commit 29a0b19a21
parent ea43506196
1 changed files with 34 additions and 11 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,3 +1,14 @@
+# Dependabot configuration
+#
+# Grouping behavior (see inline comments for details):
+#   - Minor + patch updates: grouped into a single PR per ecosystem
+#   - Major version bumps: individual PR per dependency
+#   - Security updates: individual PR per dependency
+#
+# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
+# Security updates are identified separately via GitHub's Advisory Database and
+# can be any version bump (patch, minor, or major) that fixes a known CVE.
+
 version: 2

 updates:
@ -5,23 +16,35 @@ updates:
  - package-ecosystem: gomod
    directory: "/"
    schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "friday"
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
+    groups:
+      go-minor-patch:
+        applies-to: version-updates  # security updates get individual PRs
+        patterns:
+          - "*"
+        update-types:  # major omitted, gets individual PRs
+          - "minor"
+          - "patch"

  - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - "/"
+      - "/.github/actions/bootstrap"
    schedule:
-      interval: "daily"
-    open-pull-requests-limit: 10
-    labels:
-      - "dependencies"
-
-  - package-ecosystem: "github-actions"
-    directory: "/.github/actions/bootstrap"
-    schedule:
-      interval: "daily"
+      interval: "weekly"
+      day: "friday"
    open-pull-requests-limit: 10
    labels:
      - "dependencies"
+    groups:
+      actions-minor-patch:
+        applies-to: version-updates  # security updates get individual PRs
+        patterns:
+          - "*"
+        update-types:  # major omitted, gets individual PRs
+          - "minor"
+          - "patch"