From c5aaacaeaea4f7d607fb3cdaec28675427c271d1 Mon Sep 17 00:00:00 2001 From: unix-oidc Developers Date: Mon, 4 May 2026 16:19:38 -0400 Subject: [PATCH] chore(deps): scope grouped dependabot PRs to minor+patch only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Limit all five dependabot groups (rust-all, actions-all, python-all, go-all, java-all) to minor + patch updates. Major bumps now arrive as individual PRs. This prevents a breaking-API major from masking the rest of a grouped PR — most recently `hmac 0.12 → 0.13` removed `Hmac::new_from_slice` inherent and broke the entire rust-all bundle, forcing the whole group to be closed instead of merged. --- .github/dependabot.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 05e8f0e..1cbcaad 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,10 +16,15 @@ updates: commit-message: prefix: "deps(rust)" groups: - # Group ALL Rust updates into a single PR for manual review + # Group minor + patch Rust updates into a single PR; majors stay + # individual so a breaking API change (e.g. hmac 0.12 → 0.13) doesn't + # mask the rest of the group. rust-all: patterns: - "*" + update-types: + - "minor" + - "patch" # GitHub Actions - package-ecosystem: "github-actions" @@ -37,6 +42,9 @@ updates: actions-all: patterns: - "*" + update-types: + - "minor" + - "patch" # Python DPoP library - package-ecosystem: "pip" @@ -54,6 +62,9 @@ updates: python-all: patterns: - "*" + update-types: + - "minor" + - "patch" # Go DPoP library - package-ecosystem: "gomod" @@ -71,6 +82,9 @@ updates: go-all: patterns: - "*" + update-types: + - "minor" + - "patch" # Java DPoP library (Gradle) - package-ecosystem: "gradle" @@ -88,3 +102,6 @@ updates: java-all: patterns: - "*" + update-types: + - "minor" + - "patch"