Reduce number of Dependabot PRs (#247)

mhucka · web-flow · commit 56dd8d5fee38 · 2026-04-20T08:17:07.000-07:00
This changes 2 things:

- Enable grouped updates. Instead of a separate PR for every package,
  Dependabot can combine them into a single "dependency update" PR.

- Limit to direct dependencies. We can use the allow key to restrict it
  to only the packages you explicitly list in the `requirements.in`.
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -25,11 +25,19 @@ updates:
       - "area/health"
 
   - package-ecosystem: "pip"
-    directories:
-      - "**/*"
+    directory: "/src/py"
+    allow:
+      - dependency-name: stim
+      - dependency-name: pytest
+      - dependency-name: sinter
+      - dependency-name: pybind11-stubgen
     schedule:
       interval: "monthly"
     versioning-strategy: "increase-if-necessary"
+    groups:
+      python-dependencies:
+        patterns:
+          - "*"
     labels:
       - "area/dependencies"
       - "area/python"
diff --git a/src/py/requirements.in b/src/py/requirements.in
@@ -1,4 +1,7 @@
+# Note: if you add or subtract from the list below, also update the "allow"
+# list in ../../.github/dependabot.yaml.
+
 stim
 pytest
 sinter
-pybind11-stubgen
+pybind11-stubgen
