|
1 | 1 | version: 2 |
2 | | -updates: |
3 | | - - package-ecosystem: "npm" |
4 | | - directory: "/samples/react/login-pkce" |
5 | | - schedule: |
6 | | - interval: "weekly" |
7 | | - open-pull-requests-limit: 5 |
8 | | - labels: |
9 | | - - "dependencies" |
10 | | - commit-message: |
11 | | - prefix: "deps" |
12 | | - |
13 | | - - package-ecosystem: "npm" |
14 | | - directory: "/samples/react/token-refresh" |
15 | | - schedule: |
16 | | - interval: "weekly" |
17 | | - open-pull-requests-limit: 5 |
18 | | - labels: |
19 | | - - "dependencies" |
20 | | - commit-message: |
21 | | - prefix: "deps" |
22 | | - |
23 | | - - package-ecosystem: "npm" |
24 | | - directory: "/samples/angular/login-pkce" |
25 | | - schedule: |
26 | | - interval: "weekly" |
27 | | - open-pull-requests-limit: 5 |
28 | | - labels: |
29 | | - - "dependencies" |
30 | | - commit-message: |
31 | | - prefix: "deps" |
32 | 2 |
|
33 | | - - package-ecosystem: "npm" |
34 | | - directory: "/samples/angular/token-refresh" |
35 | | - schedule: |
36 | | - interval: "weekly" |
37 | | - open-pull-requests-limit: 5 |
38 | | - labels: |
39 | | - - "dependencies" |
40 | | - commit-message: |
41 | | - prefix: "deps" |
42 | | - |
43 | | - - package-ecosystem: "npm" |
44 | | - directory: "/samples/vue/login-pkce" |
45 | | - schedule: |
46 | | - interval: "weekly" |
47 | | - open-pull-requests-limit: 5 |
48 | | - labels: |
49 | | - - "dependencies" |
50 | | - commit-message: |
51 | | - prefix: "deps" |
52 | | - |
53 | | - - package-ecosystem: "npm" |
54 | | - directory: "/samples/vue/token-refresh" |
55 | | - schedule: |
56 | | - interval: "weekly" |
57 | | - open-pull-requests-limit: 5 |
58 | | - labels: |
59 | | - - "dependencies" |
60 | | - commit-message: |
61 | | - prefix: "deps" |
| 3 | +# Each framework groups its login-pkce + token-refresh directories into a |
| 4 | +# single entry via `directories:` (plural) — those samples share package.json |
| 5 | +# contents, so the bumps always travel together. Combined with |
| 6 | +# `groups: minor-and-patch`, this collapses what used to be ~57 open PRs into |
| 7 | +# ~5–7 steady-state. |
| 8 | +# |
| 9 | +# Major bumps still get individual PRs (groups only covers minor/patch) so a |
| 10 | +# human reads the changelog before merging. |
| 11 | +# |
| 12 | +# NOTE: Dependabot's YAML parser does NOT support aliases / merge keys, so the |
| 13 | +# common settings are duplicated explicitly below. |
62 | 14 |
|
| 15 | +updates: |
| 16 | + # ── npm samples ───────────────────────────────────────────────────────── |
63 | 17 | - package-ecosystem: "npm" |
64 | | - directory: "/samples/node/login-auth-code" |
| 18 | + directories: |
| 19 | + - "/samples/react/login-pkce" |
| 20 | + - "/samples/react/token-refresh" |
65 | 21 | schedule: |
66 | 22 | interval: "weekly" |
67 | | - open-pull-requests-limit: 5 |
68 | | - labels: |
69 | | - - "dependencies" |
| 23 | + open-pull-requests-limit: 3 |
| 24 | + labels: ["dependencies"] |
70 | 25 | commit-message: |
71 | 26 | prefix: "deps" |
| 27 | + groups: |
| 28 | + minor-and-patch: |
| 29 | + patterns: ["*"] |
| 30 | + update-types: ["minor", "patch"] |
72 | 31 |
|
73 | 32 | - package-ecosystem: "npm" |
74 | | - directory: "/samples/node/saml-sp-login" |
| 33 | + directories: |
| 34 | + - "/samples/angular/login-pkce" |
| 35 | + - "/samples/angular/token-refresh" |
75 | 36 | schedule: |
76 | 37 | interval: "weekly" |
77 | | - open-pull-requests-limit: 5 |
78 | | - labels: |
79 | | - - "dependencies" |
| 38 | + open-pull-requests-limit: 3 |
| 39 | + labels: ["dependencies"] |
80 | 40 | commit-message: |
81 | 41 | prefix: "deps" |
| 42 | + groups: |
| 43 | + minor-and-patch: |
| 44 | + patterns: ["*"] |
| 45 | + update-types: ["minor", "patch"] |
82 | 46 |
|
83 | 47 | - package-ecosystem: "npm" |
84 | | - directory: "/samples/node/token-refresh" |
| 48 | + directories: |
| 49 | + - "/samples/vue/login-pkce" |
| 50 | + - "/samples/vue/token-refresh" |
85 | 51 | schedule: |
86 | 52 | interval: "weekly" |
87 | | - open-pull-requests-limit: 5 |
88 | | - labels: |
89 | | - - "dependencies" |
| 53 | + open-pull-requests-limit: 3 |
| 54 | + labels: ["dependencies"] |
90 | 55 | commit-message: |
91 | 56 | prefix: "deps" |
| 57 | + groups: |
| 58 | + minor-and-patch: |
| 59 | + patterns: ["*"] |
| 60 | + update-types: ["minor", "patch"] |
92 | 61 |
|
93 | | - # React Native samples — the auto-merge workflow excludes |
94 | | - # /samples/react-native/* by directory match, so bumps here always require |
95 | | - # human review. Dep bumps can break native autolinking / API shapes that |
96 | | - # `tsc --noEmit` doesn't catch. The "manual-review" label is informational |
97 | | - # only (the workflow filter is directory-based, not label-based). |
98 | 62 | - package-ecosystem: "npm" |
99 | | - directory: "/samples/react-native/login-pkce" |
| 63 | + directories: |
| 64 | + - "/samples/node/login-auth-code" |
| 65 | + - "/samples/node/saml-sp-login" |
| 66 | + - "/samples/node/token-refresh" |
100 | 67 | schedule: |
101 | 68 | interval: "weekly" |
102 | | - open-pull-requests-limit: 5 |
103 | | - labels: |
104 | | - - "dependencies" |
105 | | - - "manual-review" |
| 69 | + open-pull-requests-limit: 3 |
| 70 | + labels: ["dependencies"] |
106 | 71 | commit-message: |
107 | 72 | prefix: "deps" |
| 73 | + groups: |
| 74 | + minor-and-patch: |
| 75 | + patterns: ["*"] |
| 76 | + update-types: ["minor", "patch"] |
108 | 77 |
|
| 78 | + # React Native — auto-merge workflow excludes /samples/react-native/* by |
| 79 | + # directory match, so bumps always require human review. Dep bumps can break |
| 80 | + # native autolinking / API shapes that `tsc --noEmit` doesn't catch. The |
| 81 | + # "manual-review" label is informational (the workflow filter is dir-based). |
109 | 82 | - package-ecosystem: "npm" |
110 | | - directory: "/samples/react-native/token-refresh" |
| 83 | + directories: |
| 84 | + - "/samples/react-native/login-pkce" |
| 85 | + - "/samples/react-native/token-refresh" |
111 | 86 | schedule: |
112 | 87 | interval: "weekly" |
113 | | - open-pull-requests-limit: 5 |
114 | | - labels: |
115 | | - - "dependencies" |
116 | | - - "manual-review" |
| 88 | + open-pull-requests-limit: 3 |
| 89 | + labels: ["dependencies", "manual-review"] |
117 | 90 | commit-message: |
118 | 91 | prefix: "deps" |
| 92 | + groups: |
| 93 | + minor-and-patch: |
| 94 | + patterns: ["*"] |
| 95 | + update-types: ["minor", "patch"] |
119 | 96 |
|
120 | 97 | - package-ecosystem: "npm" |
121 | 98 | directory: "/scripts" |
122 | 99 | schedule: |
123 | 100 | interval: "weekly" |
124 | 101 | open-pull-requests-limit: 3 |
125 | | - labels: |
126 | | - - "dependencies" |
127 | | - commit-message: |
128 | | - prefix: "deps" |
129 | | - |
130 | | - - package-ecosystem: "maven" |
131 | | - directory: "/samples/java/login-auth-code" |
132 | | - schedule: |
133 | | - interval: "weekly" |
134 | | - open-pull-requests-limit: 5 |
135 | | - labels: |
136 | | - - "dependencies" |
137 | | - commit-message: |
138 | | - prefix: "deps" |
139 | | - |
140 | | - - package-ecosystem: "maven" |
141 | | - directory: "/samples/java/saml-sp-login" |
142 | | - schedule: |
143 | | - interval: "weekly" |
144 | | - open-pull-requests-limit: 5 |
145 | | - labels: |
146 | | - - "dependencies" |
| 102 | + labels: ["dependencies"] |
147 | 103 | commit-message: |
148 | 104 | prefix: "deps" |
| 105 | + groups: |
| 106 | + minor-and-patch: |
| 107 | + patterns: ["*"] |
| 108 | + update-types: ["minor", "patch"] |
149 | 109 |
|
| 110 | + # ── Maven (Java) ──────────────────────────────────────────────────────── |
| 111 | + # Monthly cadence: Spring Boot + plugin updates move slower than npm. |
150 | 112 | - package-ecosystem: "maven" |
151 | | - directory: "/samples/java/token-refresh" |
| 113 | + directories: |
| 114 | + - "/samples/java/login-auth-code" |
| 115 | + - "/samples/java/saml-sp-login" |
| 116 | + - "/samples/java/token-refresh" |
152 | 117 | schedule: |
153 | | - interval: "weekly" |
154 | | - open-pull-requests-limit: 5 |
155 | | - labels: |
156 | | - - "dependencies" |
157 | | - commit-message: |
158 | | - prefix: "deps" |
159 | | - |
160 | | - - package-ecosystem: "nuget" |
161 | | - directory: "/samples/dotnet/login-auth-code" |
162 | | - schedule: |
163 | | - interval: "weekly" |
164 | | - open-pull-requests-limit: 5 |
165 | | - labels: |
166 | | - - "dependencies" |
167 | | - commit-message: |
168 | | - prefix: "deps" |
169 | | - |
170 | | - - package-ecosystem: "nuget" |
171 | | - directory: "/samples/dotnet/saml-sp-login" |
172 | | - schedule: |
173 | | - interval: "weekly" |
174 | | - open-pull-requests-limit: 5 |
175 | | - labels: |
176 | | - - "dependencies" |
| 118 | + interval: "monthly" |
| 119 | + open-pull-requests-limit: 3 |
| 120 | + labels: ["dependencies"] |
177 | 121 | commit-message: |
178 | 122 | prefix: "deps" |
| 123 | + groups: |
| 124 | + minor-and-patch: |
| 125 | + patterns: ["*"] |
| 126 | + update-types: ["minor", "patch"] |
179 | 127 |
|
| 128 | + # ── NuGet (.NET) ──────────────────────────────────────────────────────── |
| 129 | + # Monthly cadence: Microsoft.* packages bunch around SDK release cycles. |
180 | 130 | - package-ecosystem: "nuget" |
181 | | - directory: "/samples/dotnet/token-refresh" |
| 131 | + directories: |
| 132 | + - "/samples/dotnet/login-auth-code" |
| 133 | + - "/samples/dotnet/saml-sp-login" |
| 134 | + - "/samples/dotnet/token-refresh" |
182 | 135 | schedule: |
183 | | - interval: "weekly" |
184 | | - open-pull-requests-limit: 5 |
185 | | - labels: |
186 | | - - "dependencies" |
| 136 | + interval: "monthly" |
| 137 | + open-pull-requests-limit: 3 |
| 138 | + labels: ["dependencies"] |
187 | 139 | commit-message: |
188 | 140 | prefix: "deps" |
| 141 | + groups: |
| 142 | + minor-and-patch: |
| 143 | + patterns: ["*"] |
| 144 | + update-types: ["minor", "patch"] |
189 | 145 |
|
| 146 | + # ── GitHub Actions ────────────────────────────────────────────────────── |
190 | 147 | - package-ecosystem: "github-actions" |
191 | 148 | directory: "/" |
192 | 149 | schedule: |
193 | 150 | interval: "weekly" |
194 | | - labels: |
195 | | - - "dependencies" |
| 151 | + labels: ["dependencies"] |
0 commit comments