Skip to content

fix: update dependabot.yml to add applies-to #345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 22, 2025
Merged

fix: update dependabot.yml to add applies-to #345

merged 1 commit into from
Sep 22, 2025

Conversation

shenxianpeng
Copy link
Collaborator

@shenxianpeng shenxianpeng commented Sep 22, 2025
edited by coderabbitai bot
Loading

I am not sure how exclude-patterns works with a group, but it seems applies-to: "security-updates" seems to work from this example

https://github.com/hashicorp/golang-lru/blob/1ecdc13547b564bf736db9161ed89f1864010108/.github/dependabot.yml#L19-L36

closes #337

Summary by CodeRabbit

  • Chores
    • Updated automated dependency update policy to apply security-only updates for developer tooling and documentation packages.
    • Reduces noise from routine version bumps, focusing maintenance on critical security patches.
    • Helps keep the project stable and secure without frequent non-essential update PRs.
    • No changes to app functionality; end-users should see no behavioral differences.

@shenxianpeng
fix: update dependabot.yml to add applies-to
de604ec 
I am not sure how exclude-patterns works with group. But it seems `applies-to: "security-updates"` seems to work from this example 

https://github.com/hashicorp/golang-lru/blob/1ecdc13547b564bf736db9161ed89f1864010108/.github/dependabot.yml#L19-L36
@shenxianpeng shenxianpeng added the bug Something isn't working label Sep 22, 2025
@shenxianpeng shenxianpeng changed the title fix: update dependabot.yml to add applies-to fix: update dependabot.yml to add applies-to Sep 22, 2025
@2bndy5
Copy link
Collaborator

2bndy5 commented Sep 22, 2025
edited
Loading

I am not sure how exclude-patterns works with a group

See GH tutorial about optimizing the number of PRs submitted. There's also an example in there that uses a cooldown option for certain dependencies. That might also be useful here.

And also, the config docs.

I think security-updates would effectively turn off updates to the group. I have never seen security advisories about mkdocs, mypy, ruff, etc.

But I'm willing to try this. I still suspect the patterns are not actually grouping the dependencies like expected.

@shenxianpeng
Copy link
Collaborator Author

There's also an example in there that uses a cooldown option for certain dependencies.

Interesting option.

But I'm willing to try this.

Let's try this first, then try cooldown if it does not work well.

@shenxianpeng shenxianpeng marked this pull request as ready for review September 22, 2025 12:03
@shenxianpeng shenxianpeng requested a review from a team as a code owner September 22, 2025 12:03
@shenxianpeng shenxianpeng requested review from 2bndy5 and removed request for a team September 22, 2025 12:03
@shenxianpeng shenxianpeng merged commit 015a8cd into main Sep 22, 2025
7 of 8 checks passed
@shenxianpeng shenxianpeng deleted the shenxianpeng-patch-1 branch September 22, 2025 12:04
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 22, 2025

Caution

Review failed

The pull request is closed.

Walkthrough

Dependabot configuration in .github/dependabot.yml was modified for the uv package ecosystem: in the dev and docs groups, the update-types array was removed and replaced with applies-to: "security-updates", constraining those groups to security updates only.

Changes

Cohort / File(s) Summary
Dependabot config updates
\.github/dependabot.yml		 In updates[].package-ecosystem: uv, replaced groups.dev.update-types: ["major", "minor"] and groups.docs.update-types: ["major", "minor"] with applies-to: "security-updates" for both groups.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

dependencies

Suggested reviewers

  • 2bndy5
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch shenxianpeng-patch-1
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9e7fcb1 and de604ec.

📒 Files selected for processing (1)
  • .github/dependabot.yml (2 hunks)

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

  • Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
  • Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@2bndy5 2bndy5 Awaiting requested review from 2bndy5 2bndy5 is a code owner automatically assigned from cpp-linter/developers

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reduce updates for dev and docs groups dependency
2 participants
@shenxianpeng @2bndy5