Skip to content

Commit f64ea0a

Browse files
authored
ci(dependabot): broaden auto-merge coverage and rebalance update groups (#8939)
Auto-merge covered only dev dependencies, GitHub Actions, and the catch-all test-version group. The test-only plugin-version cohorts and digest-pinned docker images were reviewed by hand despite being fully CI-gated, and security advisories matched no group at all, so a vulnerability in any manifest -- fixtures included -- lingered until a human noticed and tripped vulnerability reporting. 1. Auto-merge the test-only plugin-version cohorts and docker base images; production npm and vendored version updates stay on manual review since they ship to customers. 2. Rebalance the plugin-version cohorts so the catch-all no longer holds most libraries: drop the standalone opentelemetry group, fold messaging into cloud-and-messaging, add web-frameworks, and broaden databases and testing-and-build. 3. Group security updates per manifest and auto-merge them, split into security-production (ships to customers, majors held for human review) and security-non-production (dev, fixtures, infra; auto-merges fully).
1 parent beef5b8 commit f64ea0a

2 files changed

Lines changed: 165 additions & 31 deletions

File tree

.github/dependabot.yml

Lines changed: 149 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,10 @@ updates:
2323
gh-actions-packages:
2424
patterns:
2525
- "*"
26+
security-non-production:
27+
applies-to: security-updates
28+
patterns:
29+
- "*"
2630
labels:
2731
- dependabot
2832
- dependencies
@@ -51,6 +55,10 @@ updates:
5155
docker-images:
5256
patterns:
5357
- "*"
58+
security-non-production:
59+
applies-to: security-updates
60+
patterns:
61+
- "*"
5462

5563
# Regular npm packages that fall into our supported ranges besides OTEL
5664
- package-ecosystem: "npm"
@@ -112,6 +120,18 @@ updates:
112120
update-types:
113121
- "minor"
114122
- "patch"
123+
# Security fixes for shipped (production) dependencies; a human reviews majors.
124+
security-production:
125+
applies-to: security-updates
126+
dependency-type: "production"
127+
patterns:
128+
- "*"
129+
# Security fixes for dev-only dependencies; auto-merges fully.
130+
security-non-production:
131+
applies-to: security-updates
132+
dependency-type: "development"
133+
patterns:
134+
- "*"
115135

116136
# Vendored dependencies
117137
- package-ecosystem: "npm"
@@ -159,6 +179,11 @@ updates:
159179
update-types:
160180
- "minor"
161181
- "patch"
182+
# Vendored code is bundled into the shipped package, so it counts as production.
183+
security-production:
184+
applies-to: security-updates
185+
patterns:
186+
- "*"
162187

163188
# Instrumented library support range
164189
- package-ecosystem: "npm"
@@ -182,7 +207,9 @@ updates:
182207
- dependency-name: "office-addin-mock"
183208
# Pinned to 2.x due to compatibility issues with newer major versions
184209
update-types: ["version-update:semver-major"]
185-
# Cohort-based groups so a single breaking bump only blocks its own PR.
210+
# Cohort-based groups so a single breaking bump only blocks its own PR. A dependency lands
211+
# in the first cohort it matches; `test-versions` is the catch-all for the long tail
212+
# (OpenTelemetry, OpenFeature, logging, templating, serialization, runtimes, misc).
186213
groups:
187214
ai-and-llm:
188215
patterns:
@@ -196,57 +223,148 @@ updates:
196223
- "ai"
197224
- "langchain"
198225
- "openai"
199-
serverless:
226+
cloud-and-messaging:
200227
patterns:
201228
- "@aws-sdk/*"
202229
- "@azure/*"
230+
- "@confluentinc/kafka-javascript"
231+
- "@google-cloud/*"
232+
- "@nats-io/*"
203233
- "@smithy/*"
234+
- "amqp10"
235+
- "amqplib"
236+
- "avsc"
204237
- "aws-sdk"
205238
- "azure-functions-core-tools"
239+
- "bullmq"
206240
- "durable-functions"
207-
opentelemetry:
208-
patterns:
209-
- "@opentelemetry/*"
210-
- "opentracing"
211-
test-optimization:
212-
patterns:
213-
- "@fast-check/jest"
214-
- "@happy-dom/jest-environment"
215-
- "@jest/*"
216-
- "@playwright/test"
217-
- "@vitest/*"
218-
- "babel-jest"
219-
- "jest-*"
220-
- "jest"
221-
- "mocha-each"
222-
- "mocha"
223-
- "nyc"
224-
- "playwright-core"
225-
- "playwright"
226-
- "tinypool"
227-
- "vitest"
241+
- "kafkajs"
242+
- "rhea"
228243
databases:
229244
patterns:
230-
- "@node-redis/client"
245+
- "@elastic/*"
246+
- "@node-redis/*"
247+
- "@opensearch-project/*"
231248
- "@prisma/*"
232-
- "@redis/client"
249+
- "@redis/*"
250+
- "aerospike"
251+
- "bson"
252+
- "cassandra-driver"
253+
- "couchbase"
254+
- "elasticsearch"
255+
- "generic-pool"
233256
- "ioredis"
234-
- "mongodb-core"
257+
- "iovalkey"
258+
- "knex"
259+
- "mariadb"
260+
- "memcached"
235261
- "mongodb"
262+
- "mongodb-core"
236263
- "mongoose"
264+
- "mquery"
237265
- "mysql"
238266
- "mysql2"
267+
- "oracledb"
268+
- "pg"
239269
- "pg-cursor"
240270
- "pg-native"
241271
- "pg-query-stream"
242-
- "pg"
243272
- "prisma"
244273
- "redis"
274+
- "sequelize"
275+
- "sharedb"
245276
- "sqlite3"
246277
- "tedious"
278+
web-frameworks:
279+
patterns:
280+
- "@apollo/*"
281+
- "@fastify/*"
282+
- "@graphql-tools/*"
283+
- "@grpc/*"
284+
- "@hapi/*"
285+
- "@hono/*"
286+
- "@koa/*"
287+
- "apollo-server-core"
288+
- "apollo-server-express"
289+
- "apollo-server-fastify"
290+
- "axios"
291+
- "body-parser"
292+
- "connect"
293+
- "cookie"
294+
- "cookie-parser"
295+
- "ejs"
296+
- "express"
297+
- "express-mongo-sanitize"
298+
- "express-session"
299+
- "fastify"
300+
- "find-my-way"
301+
- "graphql"
302+
- "graphql-tag"
303+
- "graphql-tools"
304+
- "graphql-yoga"
305+
- "handlebars"
306+
- "hapi"
307+
- "hono"
308+
- "koa"
309+
- "koa-route"
310+
- "koa-router"
311+
- "koa-websocket"
312+
- "ldapjs"
313+
- "ldapjs-promise"
314+
- "light-my-request"
315+
- "loopback"
316+
- "microgateway-core"
317+
- "middie"
318+
- "multer"
319+
- "passport"
320+
- "passport-http"
321+
- "passport-local"
322+
- "pug"
323+
- "request"
324+
- "restify"
325+
- "router"
326+
- "undici"
327+
- "ws"
328+
testing-and-build:
329+
patterns:
330+
- "@babel/*"
331+
- "@cucumber/*"
332+
- "@electron/*"
333+
- "@fast-check/jest"
334+
- "@happy-dom/jest-environment"
335+
- "@jest/*"
336+
- "@playwright/test"
337+
- "@vitest/*"
338+
- "babel-jest"
339+
- "cypress"
340+
- "cypress-fail-fast"
341+
- "electron"
342+
- "esbuild"
343+
- "jest"
344+
- "jest-*"
345+
- "mocha"
346+
- "mocha-each"
347+
- "next"
348+
- "nock"
349+
- "nyc"
350+
- "office-addin-mock"
351+
- "playwright"
352+
- "playwright-core"
353+
- "react"
354+
- "react-dom"
355+
- "selenium-webdriver"
356+
- "sinon"
357+
- "tinypool"
358+
- "typescript"
359+
- "vitest"
360+
- "workerpool"
247361
test-versions:
248362
patterns:
249363
- "*"
364+
security-non-production:
365+
applies-to: security-updates
366+
patterns:
367+
- "*"
250368

251369
# Esbuild integration test dependencies
252370
- package-ecosystem: "npm"
@@ -274,3 +392,7 @@ updates:
274392
test-versions:
275393
patterns:
276394
- "*"
395+
security-non-production:
396+
applies-to: security-updates
397+
patterns:
398+
- "*"

.github/workflows/dependabot-automation.yml

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,11 @@ on:
88
- synchronize
99

1010
env:
11-
# Add Groups here to enable auto-merge for Dependabot PRs
12-
GROUPS: '["dev-minor-and-patch-dependencies", "gh-actions-packages", "test-versions"]'
11+
# Add Groups here to enable auto-merge for Dependabot PRs. Production npm *version* updates
12+
# (`runtime-minor-and-patch-dependencies`, `vendor-minor-and-patch-dependencies`) are
13+
# intentionally absent: they ship to customers and stay on manual review. Production
14+
# *security* fixes still auto-merge (see `security-production`), but only below a major.
15+
GROUPS: '["dev-minor-and-patch-dependencies", "gh-actions-packages", "docker-images", "ai-and-llm", "cloud-and-messaging", "databases", "web-frameworks", "testing-and-build", "test-versions", "security-production", "security-non-production"]'
1316

1417
jobs:
1518
dependabot-automation:
@@ -31,14 +34,23 @@ jobs:
3134
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # 3.1.0
3235
with:
3336
github-token: "${{ steps.octo-sts.outputs.token }}"
37+
# A major bump in `security-production` ships a breaking change to customers, so a human
38+
# reviews it. Every other allowed group auto-merges regardless of semver level: test-only
39+
# matrix bumps, non-production security fixes, and majors already gated by dependabot.yml.
3440
- name: Approve a PR
35-
if: contains(fromJSON(env.GROUPS), steps.metadata.outputs.dependency-group)
41+
if: >-
42+
contains(fromJSON(env.GROUPS), steps.metadata.outputs.dependency-group) &&
43+
(steps.metadata.outputs.dependency-group != 'security-production' ||
44+
steps.metadata.outputs.update-type != 'version-update:semver-major')
3645
run: gh pr review --approve "$PR_URL"
3746
env:
3847
PR_URL: ${{ github.event.pull_request.html_url }}
3948
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
4049
- name: Enable auto-merge for Dependabot PRs
41-
if: contains(fromJSON(env.GROUPS), steps.metadata.outputs.dependency-group)
50+
if: >-
51+
contains(fromJSON(env.GROUPS), steps.metadata.outputs.dependency-group) &&
52+
(steps.metadata.outputs.dependency-group != 'security-production' ||
53+
steps.metadata.outputs.update-type != 'version-update:semver-major')
4254
run: gh pr merge --auto --squash "$PR_URL"
4355
env:
4456
PR_URL: ${{ github.event.pull_request.html_url }}

0 commit comments

Comments
 (0)