|
1 | | ---- |
2 | | -# Dependabot configuration |
3 | | -# |
4 | | -# This file configures automated dependency updates for a small Python project |
5 | | -# managed via pyproject.toml (PEP 621) and Hatch. |
6 | | -# |
7 | | -# Goals: |
8 | | -# - keep Python dependencies (dev + runtime) up to date with minimal noise |
9 | | -# - keep GitHub Actions workflow updates separate from Python dependencies |
10 | | -# - batch minor and patch updates into a few focused PRs |
11 | | -# - keep potentially breaking (major) updates visible as separate PRs |
12 | | -# |
13 | | -# Grouping strategy: |
14 | | -# - GitHub Actions: |
15 | | -# - one grouped PR for minor/patch updates |
16 | | -# - one grouped PR for major updates |
17 | | -# - Python (pip ecosystem, pyproject.toml): |
18 | | -# - one group for development/test tooling (ruff, pytest, pytest-cov) |
19 | | -# - one catch-all group for all other Python packages (runtime deps, etc.) |
20 | | -# - major updates are not grouped and will be opened as separate PRs by default |
21 | | -# |
22 | | -# Recommended documentation: |
23 | | -# |
24 | | -# 1) Dependabot Options Reference — full list of available keys, |
25 | | -# including "groups", "update-types", etc. |
26 | | -# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file |
27 | | -# |
28 | | -# 2) Optimizing pull request creation — best practices for grouping updates, |
29 | | -# controlling frequency, and limiting noise in development teams. |
30 | | -# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates |
31 | | -# |
32 | 1 | version: 2 |
| 2 | +multi-ecosystem-groups: |
| 3 | + all-dependencies: |
| 4 | + schedule: |
| 5 | + interval: weekly |
33 | 6 | updates: |
34 | | - # 1) Keep GitHub Actions workflows up to date |
35 | 7 | - package-ecosystem: github-actions |
36 | | - directory: / # Look for workflow files in the repo root |
37 | | - schedule: |
38 | | - interval: weekly # Check for updates once a week |
39 | | - labels: [dependencies, automated, actions] |
40 | | - groups: |
41 | | - actions-minor-patch: |
42 | | - # Group all non-breaking (minor + patch) updates into a single PR |
43 | | - update-types: [minor, patch] |
44 | | - actions-major: |
45 | | - # Group all major updates for Actions into a separate PR |
46 | | - update-types: [major] |
47 | | - # 2) Python dependencies (pyproject.toml, pip ecosystem) |
48 | | - # |
49 | | - # Dependabot will read dependency definitions from pyproject.toml |
50 | | - # (and lock files if present). Here we group dev tooling separately |
51 | | - # from all other Python packages. |
| 8 | + directory: / |
| 9 | + patterns: |
| 10 | + - "*" |
| 11 | + multi-ecosystem-group: all-dependencies |
52 | 12 | - package-ecosystem: pip |
53 | | - directory: / # pyproject.toml is in the repo root |
54 | | - schedule: |
55 | | - interval: weekly |
56 | | - labels: [dependencies, automated, python] |
57 | | - groups: |
58 | | - python-dev-minor-patch: |
59 | | - # Development / testing tooling (from [dependency-groups].dev): |
60 | | - # - ruff |
61 | | - # - pytest |
62 | | - # - pytest-cov |
63 | | - # |
64 | | - # Minor and patch updates for these tools will be grouped into a single PR. |
65 | | - patterns: [ruff, pytest, pytest-cov] |
66 | | - update-types: [minor, patch] |
67 | | - python-deps-minor-patch: |
68 | | - # Catch-all group for all other Python dependencies: |
69 | | - # - any future runtime dependencies added under [project] dependencies |
70 | | - # - any package not matched by python-dev-minor-patch |
71 | | - # |
72 | | - # Minor and patch updates for these packages will be grouped together. |
73 | | - # Major updates for any Python package will be opened as separate PRs |
74 | | - # by default, which makes potentially breaking changes easier to review. |
75 | | - update-types: [minor, patch] |
| 13 | + directory: / |
| 14 | + patterns: |
| 15 | + - "*" |
| 16 | + multi-ecosystem-group: all-dependencies |
0 commit comments