fix(deps): correct dependabot config#2306
Merged
Merged
Conversation
nddq
added
area/infra
nddq
requested review from
ibezrukavyi
and removed request for
BeegiiK and
xiaozhiche320
Retina Code Coverage ReportTotal coverage no change |
nddq
force-pushed
the
fix/dependabot-cooldown-property
branch
from
c9096a6 to
e39f87c
Compare
nddq
changed the title
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
Drop cooldown.semver-major-days from the docker and github-actions blocks. Dependabot rejects the whole config at parse time because semver-major-days is only valid for ecosystems with a real semver model (gomod, npm). Add group-by: dependency-name to each Docker family group so the same base image bump across /controller, /operator, /cli, /shell, /test/image, and /hack/tools/* lands in a single PR instead of one per Dockerfile. Without it, the family patterns only deduplicate within a single directory job. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
nddq
force-pushed
the
fix/dependabot-cooldown-property
branch
from
e39f87c to
703932b
Compare
This was referenced May 13, 2026
This was referenced May 13, 2026
slariviere
pushed a commit
to slariviere/retina
that referenced
this pull request
May 14, 2026
…ft#2348) # Description The `group-by: dependency-name` directive added to all four Docker family groups in microsoft#2306 turns out to be broken by two open upstream bugs in `dependabot/dependabot-core`: - [#14780](dependabot/dependabot-core#14780) — PRs created with `group-by: dependency-name` can't be rebased; every `@dependabot rebase` returns "unknown group has been removed from your config" and the PR is permanently stuck. - [#14286](dependabot/dependabot-core#14286) — `group-by: dependency-name` produces one PR per dependency rather than a single grouped PR, defeating the consolidation goal entirely. In practice this caused every per-directory Docker bump after microsoft#2306 to fail with `unknown_error` (seen in run [25821608265](https://github.com/microsoft/retina/actions/runs/25821608265)) and forced manual closure of ~12 stuck PRs. Drop the directive on all four Docker groups. The `patterns:` definitions stay, so per-directory grouping still applies and per-image PRs continue to land as before microsoft#2306. ## Related Issue Reverts the `group-by` addition from microsoft#2306. No closing trailer — microsoft#2306's other change (dropping invalid `cooldown.semver-major-days`) is preserved. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [ ] I have updated the documentation, if necessary. - [ ] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed N/A — config-only change. Behavior reverts to the pre-microsoft#2306 baseline, which was already running cleanly. ## Additional Notes N/A. Signed-off-by: Quang Nguyen <nguyenquang@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Two fixes to
.github/dependabot.yaml:Drop
cooldown.semver-major-daysfrom the docker and github-actions blocks. Dependabot rejects the whole config at parse time becausesemver-major-daysis only valid for ecosystems with a real semver model (gomod, npm).default-daysstays.Group docker base image bumps across directories. Add
group-by: "dependency-name"to each Docker family group (golang-base,azurelinux-base,windows-base,ubuntu-base) so the same base image bump across/controller,/operator,/cli,/shell,/test/image, and/hack/tools/*lands in a single PR instead of one per Dockerfile. Without it, the family patterns only deduplicate within a single directory job.Related Issue
N/A.
Checklist
Screenshots (if applicable) or Testing Completed
N/A — config-only change.
Additional Notes
N/A.