dependabot: Group updates to reduce noise

We have missused `exclude-patterns` and `applies-to` in previous setup, they are documented in [1]: - `exclude-patterns`: Use to exclude certain dependencies from the group. If a dependency is excluded from a group, Dependabot will continue to **raise single pull requests** to update the dependency to its latest version. - `applies-to`: Use to specify whether the rules in the group apply to version updates or security updates. applies-to can be version-updates or security-updates. Options in `groups` section is a matter of grouping strategy of these detected udpates. All in all, to effectively "group" these updates, we need to use `allow` and `ignore` to specify update "candidates" for dependabot, if the "candidates" were duplicated in the first place, no matter the grouping strategy, the PRs raised are bound to be overlaped/duplicated. [1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2026-01-14 03:35:54 +00:00 · 2024-11-15 18:13:07 +08:00 · 2024-11-15 18:13:07 +08:00 · 60a29e2403
commit 60a29e2403
parent 5340588543
1 changed files with 17 additions and 23 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -7,30 +7,17 @@ updates:
  schedule:
    interval: weekly
  allow:
-  - dependency-type: direct
-  - dependency-type: indirect
+    - dependency-name: "vhost"
+    - dependency-name: "vhost-user-backend"
+    - dependency-name: "virtio-bindings"
+    - dependency-name: "virtio-queue"
+    - dependency-name: "virtio-vsock"
+    - dependency-name: "vm-memory"
+    - dependency-name: "vmm-sys-util"
  groups:
      rust-vmm:
-        patterns:
-          - "vhost"
-          - "vhost-user-backend"
-          - "virtio-bindings"
-          - "virtio-queue"
-          - "virtio-vsock"
-          - "vm-memory"
-          - "vmm-sys-util"
-      non-rust-vmm:
-        applies-to: security-updates
        patterns:
          - "*"
-        exclude-patterns:
-          - "vhost"
-          - "vhost-user-backend"
-          - "virtio-bindings"
-          - "virtio-queue"
-          - "virtio-vsock"
-          - "vm-memory"
-          - "vmm-sys-util"
 - package-ecosystem: cargo
  directories:
    - "/"
@ -38,10 +25,17 @@ updates:
  schedule:
    interval: monthly
  allow:
-  - dependency-type: direct
-  - dependency-type: indirect
+    - dependency-type: all
+  ignore:
+    - dependency-name: "vhost"
+    - dependency-name: "vhost-user-backend"
+    - dependency-name: "virtio-bindings"
+    - dependency-name: "virtio-queue"
+    - dependency-name: "virtio-vsock"
+    - dependency-name: "vm-memory"
+    - dependency-name: "vmm-sys-util"
  groups:
-      vhost-device:
+      non-rust-vmm:
        patterns:
          - "*"
  # Makes it possible to have another config for the same directory.