ci(dependabot): switch to security-only mode#327
Merged
Conversation
The previous config opened weekly version-update PRs as well as security-update PRs. The routine weekly PRs caused major-version churn (actions/checkout 3->6, Microsoft.SourceLink.GitHub 8->10, etc.) that we do not want surfaced automatically. Setting open-pull-requests-limit: 0 on each ecosystem block disables version-update PRs while keeping the ecosystem registered so security-update PRs still flow when alerts fire. The security-update grouping rules are preserved. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This was referenced Jun 2, 2026
robgruen
approved these changes
Jun 2, 2026
Previous revision of this branch set open-pull-requests-limit: 0 to disable all routine version-update PRs. Per follow-up review we want a single weekly grouped PR per ecosystem covering majors + minors + patches instead -- easier to review at a glance than many small PRs. - Drop open-pull-requests-limit: 0 (let routine PRs flow again) - Add nuget-all / github-actions-all groups that match every package and every update-type (major, minor, patch) -- collapses everything into one PR per ecosystem per weekly run. - Keep the security-updates groups as separate PRs so security work isn't buried in routine churn. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
TalZaccai
changed the title
…osystem" This reverts commit cf83058.
TalZaccai
changed the title
Per rubber-duck review: 1. update-types: [minor, patch] is a SemVer-level filter, not an advisory severity filter. The earlier comment said "major security bumps fall through ungrouped" which conflated SemVer-major with high/critical severity. A critical CVE patched by a SemVer-patch bump IS grouped; a low CVE requiring a SemVer-major bump is not. Reworded the comments to make that explicit. 2. Added a header note listing the repo-level Settings > Code security toggles this config depends on (Dependency graph, Dependabot alerts, Dependabot security updates, Grouped security updates). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Last week's first scheduled Dependabot run produced 5 PRs (#322 #323 #324 #325 #326): one grouped minor/patch bump plus 4 ungrouped majors. We want zero routine version-update PRs — only security-update PRs.
What this does
Sets
open-pull-requests-limit: 0on each ecosystem block. Per GitHub docs this disables routine version-update PRs while keeping the ecosystem registered so security-update PRs still flow when alerts fire. Theapplies-to: security-updatesgrouping rules are preserved so security PRs still consolidate.Followup
The 4 noisy major PRs (#322 #323 #324 #325 #326) and 2 stale Jan PRs (#314 #317) were already closed. Future routine bumps will need to be made manually (or via a separate workflow); only security alerts will auto-PR.