Skip to content

Commit 6e9e44a

Browse files
ksroda-saclaude
andauthored
chore(dependabot): group minor+patch, lower PR cap, monthly Maven/NuGet (#135)
* chore(dependabot): group minor+patch, lower PR cap, monthly Maven/NuGet Tweaks to reduce open-PR noise (was sitting at ~57 across all ecosystems): - Add `groups: minor-and-patch` per directory so a single weekly Angular monorepo release (or RN peer-package set) collapses into one PR instead of fanning out into 5+. Major bumps still get individual PRs. - Lower `open-pull-requests-limit` from 5 to 3 — grouping makes the higher cap unnecessary. - Move Maven (Java/Spring Boot) and NuGet (Microsoft.*) to a monthly schedule. Both ecosystems release on slower cadences than npm; weekly was paying for noise that wasn't there. - DRY the file with YAML anchors + merge keys: 196 → 113 lines, one block per ecosystem instead of nineteen. Expected steady-state open dependabot PRs: ~57 → ~10–15. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(dependabot): collapse same-framework directories into one entry Use `directories:` (plural) so login-pkce + token-refresh in the same framework share a single dependabot entry, producing one grouped PR per framework per cycle instead of one per directory. login-pkce and token-refresh have effectively identical package.json dependencies, so the bumps were always traveling together anyway. 19 update entries → 9 (one per framework + scripts + github-actions). Steady-state open dependabot PRs: ~10–15 → ~5–7. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(dependabot): inline-expand YAML anchors Dependabot's YAML parser doesn't support aliases / merge keys ("YAML aliases are not supported"), so the common per-entry settings now have to be duplicated explicitly. File grows from 97 → 151 lines but stays well below the original 196 because we still collapsed from 19 entries to 9 via `directories:` (plural). No behavioral change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 12eb315 commit 6e9e44a

1 file changed

Lines changed: 96 additions & 140 deletions

File tree

.github/dependabot.yml

Lines changed: 96 additions & 140 deletions
Original file line numberDiff line numberDiff line change
@@ -1,195 +1,151 @@
11
version: 2
2-
updates:
3-
- package-ecosystem: "npm"
4-
directory: "/samples/react/login-pkce"
5-
schedule:
6-
interval: "weekly"
7-
open-pull-requests-limit: 5
8-
labels:
9-
- "dependencies"
10-
commit-message:
11-
prefix: "deps"
12-
13-
- package-ecosystem: "npm"
14-
directory: "/samples/react/token-refresh"
15-
schedule:
16-
interval: "weekly"
17-
open-pull-requests-limit: 5
18-
labels:
19-
- "dependencies"
20-
commit-message:
21-
prefix: "deps"
22-
23-
- package-ecosystem: "npm"
24-
directory: "/samples/angular/login-pkce"
25-
schedule:
26-
interval: "weekly"
27-
open-pull-requests-limit: 5
28-
labels:
29-
- "dependencies"
30-
commit-message:
31-
prefix: "deps"
322

33-
- package-ecosystem: "npm"
34-
directory: "/samples/angular/token-refresh"
35-
schedule:
36-
interval: "weekly"
37-
open-pull-requests-limit: 5
38-
labels:
39-
- "dependencies"
40-
commit-message:
41-
prefix: "deps"
42-
43-
- package-ecosystem: "npm"
44-
directory: "/samples/vue/login-pkce"
45-
schedule:
46-
interval: "weekly"
47-
open-pull-requests-limit: 5
48-
labels:
49-
- "dependencies"
50-
commit-message:
51-
prefix: "deps"
52-
53-
- package-ecosystem: "npm"
54-
directory: "/samples/vue/token-refresh"
55-
schedule:
56-
interval: "weekly"
57-
open-pull-requests-limit: 5
58-
labels:
59-
- "dependencies"
60-
commit-message:
61-
prefix: "deps"
3+
# Each framework groups its login-pkce + token-refresh directories into a
4+
# single entry via `directories:` (plural) — those samples share package.json
5+
# contents, so the bumps always travel together. Combined with
6+
# `groups: minor-and-patch`, this collapses what used to be ~57 open PRs into
7+
# ~5–7 steady-state.
8+
#
9+
# Major bumps still get individual PRs (groups only covers minor/patch) so a
10+
# human reads the changelog before merging.
11+
#
12+
# NOTE: Dependabot's YAML parser does NOT support aliases / merge keys, so the
13+
# common settings are duplicated explicitly below.
6214

15+
updates:
16+
# ── npm samples ─────────────────────────────────────────────────────────
6317
- package-ecosystem: "npm"
64-
directory: "/samples/node/login-auth-code"
18+
directories:
19+
- "/samples/react/login-pkce"
20+
- "/samples/react/token-refresh"
6521
schedule:
6622
interval: "weekly"
67-
open-pull-requests-limit: 5
68-
labels:
69-
- "dependencies"
23+
open-pull-requests-limit: 3
24+
labels: ["dependencies"]
7025
commit-message:
7126
prefix: "deps"
27+
groups:
28+
minor-and-patch:
29+
patterns: ["*"]
30+
update-types: ["minor", "patch"]
7231

7332
- package-ecosystem: "npm"
74-
directory: "/samples/node/saml-sp-login"
33+
directories:
34+
- "/samples/angular/login-pkce"
35+
- "/samples/angular/token-refresh"
7536
schedule:
7637
interval: "weekly"
77-
open-pull-requests-limit: 5
78-
labels:
79-
- "dependencies"
38+
open-pull-requests-limit: 3
39+
labels: ["dependencies"]
8040
commit-message:
8141
prefix: "deps"
42+
groups:
43+
minor-and-patch:
44+
patterns: ["*"]
45+
update-types: ["minor", "patch"]
8246

8347
- package-ecosystem: "npm"
84-
directory: "/samples/node/token-refresh"
48+
directories:
49+
- "/samples/vue/login-pkce"
50+
- "/samples/vue/token-refresh"
8551
schedule:
8652
interval: "weekly"
87-
open-pull-requests-limit: 5
88-
labels:
89-
- "dependencies"
53+
open-pull-requests-limit: 3
54+
labels: ["dependencies"]
9055
commit-message:
9156
prefix: "deps"
57+
groups:
58+
minor-and-patch:
59+
patterns: ["*"]
60+
update-types: ["minor", "patch"]
9261

93-
# React Native samples — the auto-merge workflow excludes
94-
# /samples/react-native/* by directory match, so bumps here always require
95-
# human review. Dep bumps can break native autolinking / API shapes that
96-
# `tsc --noEmit` doesn't catch. The "manual-review" label is informational
97-
# only (the workflow filter is directory-based, not label-based).
9862
- package-ecosystem: "npm"
99-
directory: "/samples/react-native/login-pkce"
63+
directories:
64+
- "/samples/node/login-auth-code"
65+
- "/samples/node/saml-sp-login"
66+
- "/samples/node/token-refresh"
10067
schedule:
10168
interval: "weekly"
102-
open-pull-requests-limit: 5
103-
labels:
104-
- "dependencies"
105-
- "manual-review"
69+
open-pull-requests-limit: 3
70+
labels: ["dependencies"]
10671
commit-message:
10772
prefix: "deps"
73+
groups:
74+
minor-and-patch:
75+
patterns: ["*"]
76+
update-types: ["minor", "patch"]
10877

78+
# React Native — auto-merge workflow excludes /samples/react-native/* by
79+
# directory match, so bumps always require human review. Dep bumps can break
80+
# native autolinking / API shapes that `tsc --noEmit` doesn't catch. The
81+
# "manual-review" label is informational (the workflow filter is dir-based).
10982
- package-ecosystem: "npm"
110-
directory: "/samples/react-native/token-refresh"
83+
directories:
84+
- "/samples/react-native/login-pkce"
85+
- "/samples/react-native/token-refresh"
11186
schedule:
11287
interval: "weekly"
113-
open-pull-requests-limit: 5
114-
labels:
115-
- "dependencies"
116-
- "manual-review"
88+
open-pull-requests-limit: 3
89+
labels: ["dependencies", "manual-review"]
11790
commit-message:
11891
prefix: "deps"
92+
groups:
93+
minor-and-patch:
94+
patterns: ["*"]
95+
update-types: ["minor", "patch"]
11996

12097
- package-ecosystem: "npm"
12198
directory: "/scripts"
12299
schedule:
123100
interval: "weekly"
124101
open-pull-requests-limit: 3
125-
labels:
126-
- "dependencies"
127-
commit-message:
128-
prefix: "deps"
129-
130-
- package-ecosystem: "maven"
131-
directory: "/samples/java/login-auth-code"
132-
schedule:
133-
interval: "weekly"
134-
open-pull-requests-limit: 5
135-
labels:
136-
- "dependencies"
137-
commit-message:
138-
prefix: "deps"
139-
140-
- package-ecosystem: "maven"
141-
directory: "/samples/java/saml-sp-login"
142-
schedule:
143-
interval: "weekly"
144-
open-pull-requests-limit: 5
145-
labels:
146-
- "dependencies"
102+
labels: ["dependencies"]
147103
commit-message:
148104
prefix: "deps"
105+
groups:
106+
minor-and-patch:
107+
patterns: ["*"]
108+
update-types: ["minor", "patch"]
149109

110+
# ── Maven (Java) ────────────────────────────────────────────────────────
111+
# Monthly cadence: Spring Boot + plugin updates move slower than npm.
150112
- package-ecosystem: "maven"
151-
directory: "/samples/java/token-refresh"
113+
directories:
114+
- "/samples/java/login-auth-code"
115+
- "/samples/java/saml-sp-login"
116+
- "/samples/java/token-refresh"
152117
schedule:
153-
interval: "weekly"
154-
open-pull-requests-limit: 5
155-
labels:
156-
- "dependencies"
157-
commit-message:
158-
prefix: "deps"
159-
160-
- package-ecosystem: "nuget"
161-
directory: "/samples/dotnet/login-auth-code"
162-
schedule:
163-
interval: "weekly"
164-
open-pull-requests-limit: 5
165-
labels:
166-
- "dependencies"
167-
commit-message:
168-
prefix: "deps"
169-
170-
- package-ecosystem: "nuget"
171-
directory: "/samples/dotnet/saml-sp-login"
172-
schedule:
173-
interval: "weekly"
174-
open-pull-requests-limit: 5
175-
labels:
176-
- "dependencies"
118+
interval: "monthly"
119+
open-pull-requests-limit: 3
120+
labels: ["dependencies"]
177121
commit-message:
178122
prefix: "deps"
123+
groups:
124+
minor-and-patch:
125+
patterns: ["*"]
126+
update-types: ["minor", "patch"]
179127

128+
# ── NuGet (.NET) ────────────────────────────────────────────────────────
129+
# Monthly cadence: Microsoft.* packages bunch around SDK release cycles.
180130
- package-ecosystem: "nuget"
181-
directory: "/samples/dotnet/token-refresh"
131+
directories:
132+
- "/samples/dotnet/login-auth-code"
133+
- "/samples/dotnet/saml-sp-login"
134+
- "/samples/dotnet/token-refresh"
182135
schedule:
183-
interval: "weekly"
184-
open-pull-requests-limit: 5
185-
labels:
186-
- "dependencies"
136+
interval: "monthly"
137+
open-pull-requests-limit: 3
138+
labels: ["dependencies"]
187139
commit-message:
188140
prefix: "deps"
141+
groups:
142+
minor-and-patch:
143+
patterns: ["*"]
144+
update-types: ["minor", "patch"]
189145

146+
# ── GitHub Actions ──────────────────────────────────────────────────────
190147
- package-ecosystem: "github-actions"
191148
directory: "/"
192149
schedule:
193150
interval: "weekly"
194-
labels:
195-
- "dependencies"
151+
labels: ["dependencies"]

0 commit comments

Comments
 (0)