From 60a29e240392b64d7e42d578e0abc6c43357c585 Mon Sep 17 00:00:00 2001
From: Ruoqing He <heruoqing@iscas.ac.cn>
Date: Fri, 15 Nov 2024 18:13:07 +0800
Subject: [PATCH] dependabot: Group updates to reduce noise

We have missused `exclude-patterns` and `applies-to` in previous setup,
they are documented in [1]:

- `exclude-patterns`: Use to exclude certain dependencies from the
  group. If a dependency is excluded from a group, Dependabot will
  continue to **raise single pull requests** to update the dependency to
  its latest version.
- `applies-to`: Use to specify whether the rules in the group apply to
  version updates or security updates. applies-to can be version-updates
  or security-updates.

Options in `groups` section is a matter of grouping strategy of these
detected udpates.

All in all, to effectively "group" these updates, we need to use `allow`
and `ignore` to specify update "candidates" for dependabot, if the
"candidates" were duplicated in the first place, no matter the grouping
strategy, the PRs raised are bound to be overlaped/duplicated.

[1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
---
 .github/dependabot.yml | 40 +++++++++++++++++-----------------------
 1 file changed, 17 insertions(+), 23 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9e39057..dabacb4 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,30 +7,17 @@ updates:
   schedule:
     interval: weekly
   allow:
-  - dependency-type: direct
-  - dependency-type: indirect
+    - dependency-name: "vhost"
+    - dependency-name: "vhost-user-backend"
+    - dependency-name: "virtio-bindings"
+    - dependency-name: "virtio-queue"
+    - dependency-name: "virtio-vsock"
+    - dependency-name: "vm-memory"
+    - dependency-name: "vmm-sys-util"
   groups:
       rust-vmm:
-        patterns:
-          - "vhost"
-          - "vhost-user-backend"
-          - "virtio-bindings"
-          - "virtio-queue"
-          - "virtio-vsock"
-          - "vm-memory"
-          - "vmm-sys-util"
-      non-rust-vmm:
-        applies-to: security-updates
         patterns:
           - "*"
-        exclude-patterns:
-          - "vhost"
-          - "vhost-user-backend"
-          - "virtio-bindings"
-          - "virtio-queue"
-          - "virtio-vsock"
-          - "vm-memory"
-          - "vmm-sys-util"
 - package-ecosystem: cargo
   directories:
     - "/"
@@ -38,10 +25,17 @@ updates:
   schedule:
     interval: monthly
   allow:
-  - dependency-type: direct
-  - dependency-type: indirect
+    - dependency-type: all
+  ignore:
+    - dependency-name: "vhost"
+    - dependency-name: "vhost-user-backend"
+    - dependency-name: "virtio-bindings"
+    - dependency-name: "virtio-queue"
+    - dependency-name: "virtio-vsock"
+    - dependency-name: "vm-memory"
+    - dependency-name: "vmm-sys-util"
   groups:
-      vhost-device:
+      non-rust-vmm:
         patterns:
           - "*"
   # Makes it possible to have another config for the same directory.