Skip to content

chore(dependabot): group dependency updates to stop the per-service SDK PR flood#29

Merged
vyakush merged 1 commit into
mainfrom
chore/dependabot-grouping
Jul 8, 2026
Merged

chore(dependabot): group dependency updates to stop the per-service SDK PR flood#29
vyakush merged 1 commit into
mainfrom
chore/dependabot-grouping

Conversation

@vyakush

@vyakush vyakush commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

What

Adds groups to .github/dependabot.yml so Dependabot batches related dependency updates into a few PRs per week instead of one-per-dependency.

Why

go.mod pulls in ~89 individual aws-sdk-go-v2 service modules. Without grouping, Dependabot opens a separate PR for each service every week, and because they all edit the same go.mod they serialise into a rebase pile-up (this repo just accumulated ~20 such PRs).

Grouping

  • gomod: aws-sdk-go-v2 (+ smithy) → one PR; all other Go deps → a second PR.
  • npm (/dashboard, /cdk): dev-deps and prod-deps grouped separately.
  • github-actions: SHA bumps grouped into one PR.

Security updates still open individually and immediately (groups default to version-updates), so this does not delay or hide security fixes.

Config validated as YAML and against the Dependabot groups schema.

go.mod pulls in ~89 aws-sdk-go-v2 service modules; ungrouped, Dependabot
opened a separate PR per service each week, and since they all edit the
same go.mod they serialised into a rebase pile-up. Group aws-sdk-go-v2 (+
smithy) into one PR and the rest of the Go module into a second; group the
dashboard/cdk npm dev- and prod-deps and the github-actions SHA bumps.
Security updates still open individually and immediately (groups default to
version-updates), so this does not delay security fixes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant