Skip to content

chore: add Dependabot configuration#206

Merged
dli7319 merged 1 commit intogoogle:mainfrom
salmanmkc:chore/add-dependabot
Mar 23, 2026
Merged

chore: add Dependabot configuration#206
dli7319 merged 1 commit intogoogle:mainfrom
salmanmkc:chore/add-dependabot

Conversation

@salmanmkc
Copy link
Contributor

@salmanmkc salmanmkc commented Mar 22, 2026
edited
Loading

Fixes #207

Adds weekly dependency update checks for:

  • Root npm dependencies
  • Docs npm dependencies
  • GitHub Actions versions

@salmanmkc @dli7319
chore: add Dependabot configuration
aa0ec0b 
Adds weekly dependency update checks for:
- Root npm dependencies
- Docs npm dependencies
- GitHub Actions versions
@dli7319 dli7319 force-pushed the chore/add-dependabot branch from bfcc171 to aa0ec0b Compare March 23, 2026 16:46
@dli7319
Copy link
Collaborator

dli7319 commented Mar 23, 2026

Thanks

@dli7319 dli7319 merged commit 151cf8b into google:main Mar 23, 2026
4 checks passed
@dli7319
Copy link
Collaborator

dli7319 commented Mar 23, 2026

Actually, I think we'll manage it manually since this causes dependabot to spam PRs.

@dli7319 dli7319 mentioned this pull request Mar 23, 2026
Merged
@ruofeidu
Copy link
Collaborator

ruofeidu commented Mar 23, 2026

I agree, I think this is adding too many workloads for humans :(

@salmanmkc
Copy link
Contributor Author

salmanmkc commented Mar 23, 2026
edited
Loading

What about something like this? It enables setting open PR limits, etc. too so that the workload for humans can be more manageable @ruofeidu @dli7319

We can group and have them done monthly, also depending on the type of update and whether it's first party from actions vs third party actions. Example PRs it made are here: third party and first party

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "monthly"
    open-pull-requests-limit: 10
    groups:
      npm-all:
        patterns:
          - "*"

  - package-ecosystem: "npm"
    directory: "/docs"
    schedule:
      interval: "monthly"
    open-pull-requests-limit: 5
    groups:
      npm-docs-all:
        patterns:
          - "*"

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
    open-pull-requests-limit: 5
    groups:
      ci-actions:
        patterns:
          - "actions/*"
      third-party-actions:
        patterns:
          - "*"
        exclude-patterns:
          - "actions/*"

@dli7319
Copy link
Collaborator

dli7319 commented Mar 23, 2026

I think we can just have the grouped github-actions one updated on a monthly basis.

For npm dependencies, we don't roll them up in our library so I don't feel it's worth automating it:

  1. If a dependency has no breaking changes, then the update PR is just noise since it won't affect anything.
  2. If a dependency has breaking changes (e.g. threejs), then we'll need to look into it manually anyways.

@salmanmkc
Copy link
Contributor Author

salmanmkc commented Mar 23, 2026

I think we can just have the grouped github-actions one updated on a monthly basis.

For npm dependencies, we don't roll them up in our library so I don't feel it's worth automating it:

  1. If a dependency has no breaking changes, then the update PR is just noise since it won't affect anything.
  2. If a dependency has breaking changes (e.g. threejs), then we'll need to look into it manually anyways.

awesome, I did a pr including npm, but just forced pushed it to be monthly third party and first party action splits, sorry about the initial spam, didn't expect it would do that all so suddenly 😄

@salmanmkc salmanmkc mentioned this pull request Mar 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add Dependabot for automated dependency updates

3 participants

@salmanmkc @dli7319 @ruofeidu