|
| 1 | +--- |
| 2 | +# Dependabot configuration |
| 3 | +# |
| 4 | +# This file configures automated dependency updates for a small Python project |
| 5 | +# managed via pyproject.toml (PEP 621) and Hatch. |
| 6 | +# |
| 7 | +# Goals: |
| 8 | +# - keep Python dependencies (dev + runtime) up to date with minimal noise |
| 9 | +# - keep GitHub Actions workflow updates separate from Python dependencies |
| 10 | +# - batch minor and patch updates into a few focused PRs |
| 11 | +# - keep potentially breaking (major) updates visible as separate PRs |
| 12 | +# |
| 13 | +# Grouping strategy: |
| 14 | +# - GitHub Actions: |
| 15 | +# - one grouped PR for minor/patch updates |
| 16 | +# - one grouped PR for major updates |
| 17 | +# - Python (pip ecosystem, pyproject.toml): |
| 18 | +# - one group for development/test tooling (ruff, pytest, pytest-cov) |
| 19 | +# - one catch-all group for all other Python packages (runtime deps, etc.) |
| 20 | +# - major updates are not grouped and will be opened as separate PRs by default |
| 21 | +# |
| 22 | +# Recommended documentation: |
| 23 | +# |
| 24 | +# 1) Dependabot Options Reference — full list of available keys, |
| 25 | +# including "groups", "update-types", etc. |
| 26 | +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file |
| 27 | +# |
| 28 | +# 2) Optimizing pull request creation — best practices for grouping updates, |
| 29 | +# controlling frequency, and limiting noise in development teams. |
| 30 | +# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates |
| 31 | +# |
| 32 | +version: 2 |
| 33 | +updates: |
| 34 | + # 1) Keep GitHub Actions workflows up to date |
| 35 | + - package-ecosystem: github-actions |
| 36 | + directory: / # Look for workflow files in the repo root |
| 37 | + schedule: |
| 38 | + interval: weekly # Check for updates once a week |
| 39 | + labels: [dependencies, automated, actions] |
| 40 | + groups: |
| 41 | + actions-minor-patch: |
| 42 | + # Group all non-breaking (minor + patch) updates into a single PR |
| 43 | + update-types: [minor, patch] |
| 44 | + actions-major: |
| 45 | + # Group all major updates for Actions into a separate PR |
| 46 | + update-types: [major] |
| 47 | + # 2) Python dependencies (pyproject.toml, pip ecosystem) |
| 48 | + # |
| 49 | + # Dependabot will read dependency definitions from pyproject.toml |
| 50 | + # (and lock files if present). Here we group dev tooling separately |
| 51 | + # from all other Python packages. |
| 52 | + - package-ecosystem: pip |
| 53 | + directory: / # pyproject.toml is in the repo root |
| 54 | + schedule: |
| 55 | + interval: weekly |
| 56 | + labels: [dependencies, automated, python] |
| 57 | + groups: |
| 58 | + python-dev-minor-patch: |
| 59 | + # Development / testing tooling (from [dependency-groups].dev): |
| 60 | + # - ruff |
| 61 | + # - pytest |
| 62 | + # - pytest-cov |
| 63 | + # |
| 64 | + # Minor and patch updates for these tools will be grouped into a single PR. |
| 65 | + patterns: [ruff, pytest, pytest-cov] |
| 66 | + update-types: [minor, patch] |
| 67 | + python-deps-minor-patch: |
| 68 | + # Catch-all group for all other Python dependencies: |
| 69 | + # - any future runtime dependencies added under [project] dependencies |
| 70 | + # - any package not matched by python-dev-minor-patch |
| 71 | + # |
| 72 | + # Minor and patch updates for these packages will be grouped together. |
| 73 | + # Major updates for any Python package will be opened as separate PRs |
| 74 | + # by default, which makes potentially breaking changes easier to review. |
| 75 | + update-types: [minor, patch] |
0 commit comments