Use grouped version updates for Dependabot

[shenxianpeng]

What's the problem this feature will solve?

There are many pull requests for python dependency updates created by dependabot and then they are closed by github/ composite-prs, see #15907, and there are also a lot of notifications generated for watchers of the project.

Describe the solution you'd like

It may be best to use grouped version updates for Dependabot

As mentioned above is this README, a core reason why this Action exists is to "combine multiple Dependabot PRs into one". Work for this Action was completed before the GitHub Blog Post was published and the Dependabot Grouped Version Updates feature was released.

And it also be mentioned in the README page of combine-prs as above.

For example if use groups, it will be work like this: jenkinsci/kubernetes-operator#1004

I see that groups seems to be used in dependabot.yml, but not for against all python dependencies, not sure why? and it doesn't seem to work. Maybe I'm mistaken.

warehouse/.github/dependabot.yml

Line 21 in fd49325

groups:

[miketheman]

Hi @shenxianpeng !

Thanks for the suggestion - as you can see, we use the groups specifically for dependencies that should be updated together.

Thanks for sharing the jenkinsci link - beyond that example, can you share your experience with grouped updates?

Is the main issue here that you're receiving many notifications? That's something you can tailor on your end - wither by changing the Watching settings, or even applying an email filter.

[shenxianpeng]

Hi @miketheman thanks for your reply!

In my view, the main problem is that a large number of pull requests are created and closed for each bump. The more natural way would be to create a pull request with grouped updates and then review and merge them. Using the groups function would be more elegant than using github/ composite-prs.

[miketheman]

Hey @shenxianpeng ! Thanks for the perspective.

I don't have time to tinker with this right now, but if you wanted to send a pull request with the desired changes, I'll gladly take a look.

[shenxianpeng]

Yes. I will @miketheman

[miketheman]

After merging the changes, I've both seen the automatic job run as well as a manual trigger - and they both time out after ~1 hour.

Individual updates take about ~3-4 minutes to run.

Here's a docs section on timeouts and what to do for them: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/troubleshooting-dependabot-errors#dependabot-timed-out-during-its-update

It may be best us to revert the changes for now and restore the manual combine job.

[shenxianpeng]

It may be best us to revert the changes for now and restore the manual combine job.

Yes, agree. sorry for the inconvenience. I'll use the fork repository of warehouse to look at that later.