Skip to content

Enable libcnb Dependabot grouping#592

Merged
edmorley merged 1 commit into
mainfrom
edmorley/enable-libcnb-dependabot-grouping
Jul 7, 2026
Merged

Enable libcnb Dependabot grouping#592
edmorley merged 1 commit into
mainfrom
edmorley/enable-libcnb-dependabot-grouping

Conversation

@edmorley

@edmorley edmorley commented Jul 6, 2026

Copy link
Copy Markdown
Member

Add a libcnb Dependabot group so the libcnb-family crates (libcnb, libcnb-* and libherokubuildpack) are updated together in a single PR, rather than split across the general rust-dependencies group.

Dependabot's grouping docs state that when multiple groups are specified, the first group defined wins:
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#groups--

In practice this is broken: PRs are compared against all groups and can end up in a later group whose settings then prevent the PR being opened - so major libcnb updates were misrouted to rust-dependencies and filtered out by its update-types: ["minor", "patch"] rule, meaning no PR was opened at all. To work around this, the groups are made non-overlapping by adding a matching exclude-patterns to rust-dependencies.

See:
dependabot/dependabot-core#11093

See also: heroku/buildpacks-nodejs#1408

The libcnb-family crate versions have also been pinned to exact versions using the = syntax, since these crates have a large impact on the behaviour of the buildpack, so we want to control their version more carefully. (We used to pin to an exact version in many CNBs in the past, but removed the pin as part of trying to work out why Dependabot wasn't updating.)

GUS-W-23329202.

Add a `libcnb` Dependabot group so the libcnb-family crates (`libcnb`,
`libcnb-*` and `libherokubuildpack`) are updated together in a single
PR, rather than split across the general `rust-dependencies` group.

Dependabot's grouping docs state that when multiple groups are
specified, the first group defined wins:
https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#groups--

In practice this is broken: PRs are compared against all groups and can
end up in a later group whose settings then prevent the PR being opened
- so major libcnb updates were misrouted to `rust-dependencies` and
filtered out by its `update-types: ["minor", "patch"]` rule, meaning no
PR was opened at all. To work around this, the groups are made
non-overlapping by adding a matching `exclude-patterns` to
`rust-dependencies`.

See:
dependabot/dependabot-core#11093

See also: heroku/buildpacks-nodejs#1408

The libcnb-family crate versions have also been pinned to exact versions
using the `=` syntax, since these crates have a large impact on the
behaviour of the buildpack, so we want to control their version more
carefully. (We used to pin to an exact version in many CNBs in the past,
but removed the pin as part of trying to work out why Dependabot wasn't
updating.)

GUS-W-23329202.
@edmorley edmorley added the skip changelog Skip the check-changelog check label Jul 6, 2026
@edmorley edmorley self-assigned this Jul 6, 2026
@edmorley edmorley marked this pull request as ready for review July 6, 2026 18:51
@edmorley edmorley requested a review from a team as a code owner July 6, 2026 18:51
@edmorley edmorley enabled auto-merge (squash) July 6, 2026 18:52
@edmorley edmorley merged commit 6b6a5ee into main Jul 7, 2026
16 of 17 checks passed
@edmorley edmorley deleted the edmorley/enable-libcnb-dependabot-grouping branch July 7, 2026 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip changelog Skip the check-changelog check

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants