We have missused `exclude-patterns` and `applies-to` in previous setup,
they are documented in [1]:
- `exclude-patterns`: Use to exclude certain dependencies from the
group. If a dependency is excluded from a group, Dependabot will
continue to **raise single pull requests** to update the dependency to
its latest version.
- `applies-to`: Use to specify whether the rules in the group apply to
version updates or security updates. applies-to can be version-updates
or security-updates.
Options in `groups` section is a matter of grouping strategy of these
detected udpates.
All in all, to effectively "group" these updates, we need to use `allow`
and `ignore` to specify update "candidates" for dependabot, if the
"candidates" were duplicated in the first place, no matter the grouping
strategy, the PRs raised are bound to be overlaped/duplicated.
[1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
Group `rust-vmm` crates and `non-rust-vmm` crates with security-updates
into weekly update, leave the rest dependencies to monthly update in
dependabot configuration.
Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
We forgot to tell dependabot to also run in the "staging" nested
workspace. Let's enable it.
Closes#536
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
This should group updates into a single PR. Hopefully, that simplfies
updates.
Updates that do _actually_ require code changes, will need a separate PR
anyway, after which dependabot can be asked to rebase/recreate.
Suggested-by: Patrick Roy <roypat@amazon.co.uk>
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Erik Schilling <erik.schilling@linaro.org>
Remove the incorrect file dependabot.yaml and edit the correct one to
allow crate updates on weekly basis.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
