chore(dependabot): group dependency updates to stop the per-service SDK PR flood#29
Merged
Conversation
go.mod pulls in ~89 aws-sdk-go-v2 service modules; ungrouped, Dependabot opened a separate PR per service each week, and since they all edit the same go.mod they serialised into a rebase pile-up. Group aws-sdk-go-v2 (+ smithy) into one PR and the rest of the Go module into a second; group the dashboard/cdk npm dev- and prod-deps and the github-actions SHA bumps. Security updates still open individually and immediately (groups default to version-updates), so this does not delay security fixes.
This was referenced Jul 8, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
groupsto.github/dependabot.ymlso Dependabot batches related dependency updates into a few PRs per week instead of one-per-dependency.Why
go.modpulls in ~89 individualaws-sdk-go-v2service modules. Without grouping, Dependabot opens a separate PR for each service every week, and because they all edit the samego.modthey serialise into a rebase pile-up (this repo just accumulated ~20 such PRs).Grouping
aws-sdk-go-v2(+ smithy) → one PR; all other Go deps → a second PR.Security updates still open individually and immediately (groups default to
version-updates), so this does not delay or hide security fixes.Config validated as YAML and against the Dependabot
groupsschema.