Group Dependabot CI (GitHub Actions) updates into a single monthly PR

[Copilot]

This updates Dependabot so CI-related dependency bumps are grouped instead of opening one PR per GitHub Actions dependency. Existing non-CI behavior remains unchanged.

• Dependabot config update

  • Added a groups rule under the existing github-actions update entry in .github/dependabot.yml.
  • Kept the existing monthly schedule and ci: commit message prefix intact.

• CI dependency grouping behavior

  • Introduced a single group (ci-dependencies) that applies to version updates and matches all GitHub Actions dependencies in that ecosystem entry.

updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      ci-dependencies:
        applies-to: version-updates
        patterns:
          - "*"
    commit-message:
      prefix: "ci: "

Original prompt

Update the Dependabot configuration in cms-nanoAOD/correctionlib so that CI-related dependency updates are grouped together in Dependabot pull requests.

Repository: cms-nanoAOD/correctionlib

Goals:

• Find the existing .github/dependabot.yml (or equivalent Dependabot config) in the repository.
• Modify the configuration so CI-related items are grouped into a single Dependabot PR where appropriate.
• Preserve the repository's existing update schedule and behavior for non-CI dependency updates unless changes are necessary to support CI grouping.
• Use Dependabot grouping configuration supported by GitHub.
• Open a pull request with the change.

Implementation guidance:

• Inspect the current Dependabot ecosystems and directories in use.
• For GitHub Actions / CI-related updates, add an appropriate groups entry that groups relevant dependencies together.
• Keep the change minimal and targeted.
• Include a clear PR title and description explaining that CI-related Dependabot updates are now grouped together.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Is there a way to ask dependabot to roll all monthly updates into one PR?

Assistant: Yes — for Dependabot version updates, you can group updates into a single PR by using groups in .github/dependabot.yml. GitHub documents this in Optimizing the creation of pull requests for Dependabot version updates.

For example, to make one monthly PR for all version updates in an ecosystem:

version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "monthly"
    groups:
      all-dependencies:
        applies-to: version-updates
        patterns:
          - "*"

What this does:

• interval: "monthly" makes Dependabot check monthly
• patterns: ["*"] groups all matching dependencies
• applies-to: version-updates limits this to version update PRs

A few caveats:

• This is for version updates; security updates may still be handled separately.
• Grouping is per updates entry, so if you have multiple ecosystems or directories, you may still get one grouped PR per ecosystem/directory unless you configure them together where supported.
• A giant single PR can be harder to review, so many teams group by ecosystem or only group minor/patch updates.

If you want, I can draft a dependabot.yml for cms-nanoAOD/correctionlib that rolls its monthly updates into as few PRs as possible.

User: Please make a PR updating the dependabot config to group any CI items together

Assistant: I'm waiting for your confirmation on the pull request action, and once you respond I can continue.

This pull request was created from Copilot chat.

[github-actions]

CVMFS benchmarks

Top 25 slowest-loading corrections, sorted by mean time:

Benchmark	Mean (ms)	Stddev (ms)	Rounds
test_load[JME/Run2-2017-UL-NanoAODv9/latest/jet_jerc.json.gz]	927.430	3.893	5
test_load[JME/Run2-2017-UL-NanoAODv9/latest/fatJet_jerc.json.gz]	775.715	5.989	5
test_load[JME/Run3-24Prompt-Winter24-NanoAODv14/latest/jet_jerc.json.gz]	671.228	10.585	5
test_load[JME/Run3-24CDEReprocessingFGHIPrompt-Summer24-NanoAODv15/latest/fatJet_jerc.json.gz]	590.423	3.115	5
test_load[JME/Run3-24CDEReprocessingFGHIPrompt-Summer24-NanoAODv15/latest/jet_jerc.json.gz]	589.500	4.512	5
test_load[JME/Run3-25Prompt-Winter25-NanoAODv15/latest/fatJet_jerc.json.gz]	401.913	0.947	5
test_load[JME/Run3-25Prompt-Winter25-NanoAODv15/latest/jet_jerc.json.gz]	401.873	0.813	5
test_load[JME/Run3-23CSep23-Summer23-NanoAODv12/latest/fatJet_jerc.json.gz]	301.998	1.081	5
test_load[JME/Run3-23CSep23-Summer23-NanoAODv12/latest/jet_jerc.json.gz]	298.811	1.734	5
test_load[JME/Run2-2018-UL-NanoAODv9/latest/jet_jerc.json.gz]	291.271	1.620	5
test_load[JME/Run3-22EFGSep23-Summer22EE-NanoAODv12/latest/fatJet_jerc.json.gz]	247.524	0.542	5
test_load[JME/Run3-22EFGSep23-Summer22EE-NanoAODv12/latest/jet_jerc.json.gz]	246.793	0.566	5
test_load[JME/Run2-2017-UL-NanoAODv15/latest/fatJet_jerc.json.gz]	234.221	14.085	5
test_load[JME/Run2-2016preVFP-UL-NanoAODv9/latest/jet_jerc.json.gz]	232.066	0.456	5
test_load[JME/Run3-23DSep23-Summer23BPix-NanoAODv12/latest/jet_jerc.json.gz]	225.946	0.620	5
test_load[JME/Run3-23DSep23-Summer23BPix-NanoAODv12/latest/fatJet_jerc.json.gz]	225.603	0.750	5
test_load[JME/Run2-2017-UL-NanoAODv15/latest/jet_jerc.json.gz]	224.715	0.311	5
test_load[JME/Run3-22CDSep23-Summer22-NanoAODv12/latest/fatJet_jerc.json.gz]	220.985	27.365	5
test_load[JME/Run2-2018-UL-NanoAODv9/latest/fatJet_jerc.json.gz]	220.760	0.475	5
test_load[JME/Run2-2018-UL-NanoAODv15/latest/fatJet_jerc.json.gz]	217.532	1.726	5
test_load[JME/Run2-2018-UL-NanoAODv15/latest/jet_jerc.json.gz]	216.113	0.719	5
test_load[JME/Run3-22Prompt-Winter22-NanoAODv12/latest/jet_jerc.json.gz]	212.534	0.894	5
test_load[JME/Run3-22Prompt-Winter22-NanoAODv12/latest/fatJet_jerc.json.gz]	211.812	0.702	5
test_load[JME/Run2-2016postVFP-UL-NanoAODv9/latest/jet_jerc.json.gz]	211.087	2.139	5
test_load[JME/Run3-22CDSep23-Summer22-NanoAODv12/latest/jet_jerc.json.gz]	206.790	0.755	5