Use a new grouping strategy for dependabot updates

llucax · llucax · commit 1ec55655de12 · 2025-03-27T15:03:14.000+01:00
We group patch updates as they should always work.

We also group minor updates, as it works too for most libraries,
typically except libraries that don't have a stable release yet (v0.x.x
branch), so we make some exceptions for them.

Major updates and dependencies excluded by the above groups are still
managed, but they'll create one PR per dependency, as breakage is
expected, so it might need manual intervention.

Finally, we group some dependencies that are related to each other, and
usually needs to be updated together.

Signed-off-by: Leandro Lucarella &lt;luca-frequenz@llucax.com&gt;
diff --git a/cookiecutter/{{cookiecutter.github_repo_name}}/.github/dependabot.yml b/cookiecutter/{{cookiecutter.github_repo_name}}/.github/dependabot.yml
@@ -13,23 +13,46 @@ updates:
     versioning-strategy: auto
     # Allow up to 10 open pull requests for updates to dependency versions
     open-pull-requests-limit: 10
-    # We group production and development ("optional" in the context of
-    # pyproject.toml) dependency updates when they are patch and minor updates,
-    # so we end up with less PRs being generated.
-    # Major updates are still managed, but they'll create one PR per
-    # dependency, as major updates are expected to be breaking, it is better to
-    # manage them individually.
+    # We group patch updates as they should always work.
+    # We also group minor updates, as it works too for most libraries,
+    # typically except libraries that don't have a stable release yet (v0.x.x
+    # branch), so we make some exceptions for them.
+    # Major updates and dependencies excluded by the above groups are still
+    # managed, but they'll create one PR per dependency, as breakage is
+    # expected, so it might need manual intervention.
+    # Finally, we group some dependencies that are related to each other, and
+    # usually need to be updated together.
     groups:
-      required:
-        dependency-type: "production"
+      patch:
         update-types:
-          - "minor"
           - "patch"
-      optional:
-        dependency-type: "development"
+        exclude-patterns:
+          # pydoclint has shipped breaking changes in patch updates often
+          - "pydoclint"
+      minor:
         update-types:
           - "minor"
-          - "patch"
+        exclude-patterns:
+          - "async-solipsism"
+{%- if cookiecutter.type == "api" %}
+          - "frequenz-api-common"
+{%- endif %}
+          - "frequenz-repo-config*"
+          - "markdown-callouts"
+          - "mkdocs-gen-files"
+          - "mkdocs-literate-nav"
+          - "mkdocstrings*"
+          - "pydoclint"
+          - "pytest-asyncio"
+      # We group repo-config updates as it uses optional dependencies that are
+      # considered different dependencies otherwise, and will create one PR for
+      # each if we don't group them.
+      repo-config:
+        patterns:
+          - "frequenz-repo-config*"
+      mkdocstrings:
+        patterns:
+          - "mkdocstrings*"
 
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/dependabot.yml b/tests_golden/integration/test_cookiecutter_generation/actor/frequenz-actor-test/.github/dependabot.yml
@@ -13,23 +13,43 @@ updates:
     versioning-strategy: auto
     # Allow up to 10 open pull requests for updates to dependency versions
     open-pull-requests-limit: 10
-    # We group production and development ("optional" in the context of
-    # pyproject.toml) dependency updates when they are patch and minor updates,
-    # so we end up with less PRs being generated.
-    # Major updates are still managed, but they'll create one PR per
-    # dependency, as major updates are expected to be breaking, it is better to
-    # manage them individually.
+    # We group patch updates as they should always work.
+    # We also group minor updates, as it works too for most libraries,
+    # typically except libraries that don't have a stable release yet (v0.x.x
+    # branch), so we make some exceptions for them.
+    # Major updates and dependencies excluded by the above groups are still
+    # managed, but they'll create one PR per dependency, as breakage is
+    # expected, so it might need manual intervention.
+    # Finally, we group some dependencies that are related to each other, and
+    # usually need to be updated together.
     groups:
-      required:
-        dependency-type: "production"
+      patch:
         update-types:
-          - "minor"
           - "patch"
-      optional:
-        dependency-type: "development"
+        exclude-patterns:
+          # pydoclint has shipped breaking changes in patch updates often
+          - "pydoclint"
+      minor:
         update-types:
           - "minor"
-          - "patch"
+        exclude-patterns:
+          - "async-solipsism"
+          - "frequenz-repo-config*"
+          - "markdown-callouts"
+          - "mkdocs-gen-files"
+          - "mkdocs-literate-nav"
+          - "mkdocstrings*"
+          - "pydoclint"
+          - "pytest-asyncio"
+      # We group repo-config updates as it uses optional dependencies that are
+      # considered different dependencies otherwise, and will create one PR for
+      # each if we don't group them.
+      repo-config:
+        patterns:
+          - "frequenz-repo-config*"
+      mkdocstrings:
+        patterns:
+          - "mkdocstrings*"
 
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/tests_golden/integration/test_cookiecutter_generation/api/frequenz-api-test/.github/dependabot.yml b/tests_golden/integration/test_cookiecutter_generation/api/frequenz-api-test/.github/dependabot.yml
@@ -13,23 +13,44 @@ updates:
     versioning-strategy: auto
     # Allow up to 10 open pull requests for updates to dependency versions
     open-pull-requests-limit: 10
-    # We group production and development ("optional" in the context of
-    # pyproject.toml) dependency updates when they are patch and minor updates,
-    # so we end up with less PRs being generated.
-    # Major updates are still managed, but they'll create one PR per
-    # dependency, as major updates are expected to be breaking, it is better to
-    # manage them individually.
+    # We group patch updates as they should always work.
+    # We also group minor updates, as it works too for most libraries,
+    # typically except libraries that don't have a stable release yet (v0.x.x
+    # branch), so we make some exceptions for them.
+    # Major updates and dependencies excluded by the above groups are still
+    # managed, but they'll create one PR per dependency, as breakage is
+    # expected, so it might need manual intervention.
+    # Finally, we group some dependencies that are related to each other, and
+    # usually need to be updated together.
     groups:
-      required:
-        dependency-type: "production"
+      patch:
         update-types:
-          - "minor"
           - "patch"
-      optional:
-        dependency-type: "development"
+        exclude-patterns:
+          # pydoclint has shipped breaking changes in patch updates often
+          - "pydoclint"
+      minor:
         update-types:
           - "minor"
-          - "patch"
+        exclude-patterns:
+          - "async-solipsism"
+          - "frequenz-api-common"
+          - "frequenz-repo-config*"
+          - "markdown-callouts"
+          - "mkdocs-gen-files"
+          - "mkdocs-literate-nav"
+          - "mkdocstrings*"
+          - "pydoclint"
+          - "pytest-asyncio"
+      # We group repo-config updates as it uses optional dependencies that are
+      # considered different dependencies otherwise, and will create one PR for
+      # each if we don't group them.
+      repo-config:
+        patterns:
+          - "frequenz-repo-config*"
+      mkdocstrings:
+        patterns:
+          - "mkdocstrings*"
 
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/tests_golden/integration/test_cookiecutter_generation/app/frequenz-app-test/.github/dependabot.yml b/tests_golden/integration/test_cookiecutter_generation/app/frequenz-app-test/.github/dependabot.yml
@@ -13,23 +13,43 @@ updates:
     versioning-strategy: auto
     # Allow up to 10 open pull requests for updates to dependency versions
     open-pull-requests-limit: 10
-    # We group production and development ("optional" in the context of
-    # pyproject.toml) dependency updates when they are patch and minor updates,
-    # so we end up with less PRs being generated.
-    # Major updates are still managed, but they'll create one PR per
-    # dependency, as major updates are expected to be breaking, it is better to
-    # manage them individually.
+    # We group patch updates as they should always work.
+    # We also group minor updates, as it works too for most libraries,
+    # typically except libraries that don't have a stable release yet (v0.x.x
+    # branch), so we make some exceptions for them.
+    # Major updates and dependencies excluded by the above groups are still
+    # managed, but they'll create one PR per dependency, as breakage is
+    # expected, so it might need manual intervention.
+    # Finally, we group some dependencies that are related to each other, and
+    # usually need to be updated together.
     groups:
-      required:
-        dependency-type: "production"
+      patch:
         update-types:
-          - "minor"
           - "patch"
-      optional:
-        dependency-type: "development"
+        exclude-patterns:
+          # pydoclint has shipped breaking changes in patch updates often
+          - "pydoclint"
+      minor:
         update-types:
           - "minor"
-          - "patch"
+        exclude-patterns:
+          - "async-solipsism"
+          - "frequenz-repo-config*"
+          - "markdown-callouts"
+          - "mkdocs-gen-files"
+          - "mkdocs-literate-nav"
+          - "mkdocstrings*"
+          - "pydoclint"
+          - "pytest-asyncio"
+      # We group repo-config updates as it uses optional dependencies that are
+      # considered different dependencies otherwise, and will create one PR for
+      # each if we don't group them.
+      repo-config:
+        patterns:
+          - "frequenz-repo-config*"
+      mkdocstrings:
+        patterns:
+          - "mkdocstrings*"
 
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/tests_golden/integration/test_cookiecutter_generation/lib/frequenz-test-python/.github/dependabot.yml b/tests_golden/integration/test_cookiecutter_generation/lib/frequenz-test-python/.github/dependabot.yml
@@ -13,23 +13,43 @@ updates:
     versioning-strategy: auto
     # Allow up to 10 open pull requests for updates to dependency versions
     open-pull-requests-limit: 10
-    # We group production and development ("optional" in the context of
-    # pyproject.toml) dependency updates when they are patch and minor updates,
-    # so we end up with less PRs being generated.
-    # Major updates are still managed, but they'll create one PR per
-    # dependency, as major updates are expected to be breaking, it is better to
-    # manage them individually.
+    # We group patch updates as they should always work.
+    # We also group minor updates, as it works too for most libraries,
+    # typically except libraries that don't have a stable release yet (v0.x.x
+    # branch), so we make some exceptions for them.
+    # Major updates and dependencies excluded by the above groups are still
+    # managed, but they'll create one PR per dependency, as breakage is
+    # expected, so it might need manual intervention.
+    # Finally, we group some dependencies that are related to each other, and
+    # usually need to be updated together.
     groups:
-      required:
-        dependency-type: "production"
+      patch:
         update-types:
-          - "minor"
           - "patch"
-      optional:
-        dependency-type: "development"
+        exclude-patterns:
+          # pydoclint has shipped breaking changes in patch updates often
+          - "pydoclint"
+      minor:
         update-types:
           - "minor"
-          - "patch"
+        exclude-patterns:
+          - "async-solipsism"
+          - "frequenz-repo-config*"
+          - "markdown-callouts"
+          - "mkdocs-gen-files"
+          - "mkdocs-literate-nav"
+          - "mkdocstrings*"
+          - "pydoclint"
+          - "pytest-asyncio"
+      # We group repo-config updates as it uses optional dependencies that are
+      # considered different dependencies otherwise, and will create one PR for
+      # each if we don't group them.
+      repo-config:
+        patterns:
+          - "frequenz-repo-config*"
+      mkdocstrings:
+        patterns:
+          - "mkdocstrings*"
 
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/tests_golden/integration/test_cookiecutter_generation/model/frequenz-model-test/.github/dependabot.yml b/tests_golden/integration/test_cookiecutter_generation/model/frequenz-model-test/.github/dependabot.yml
@@ -13,23 +13,43 @@ updates:
     versioning-strategy: auto
     # Allow up to 10 open pull requests for updates to dependency versions
     open-pull-requests-limit: 10
-    # We group production and development ("optional" in the context of
-    # pyproject.toml) dependency updates when they are patch and minor updates,
-    # so we end up with less PRs being generated.
-    # Major updates are still managed, but they'll create one PR per
-    # dependency, as major updates are expected to be breaking, it is better to
-    # manage them individually.
+    # We group patch updates as they should always work.
+    # We also group minor updates, as it works too for most libraries,
+    # typically except libraries that don't have a stable release yet (v0.x.x
+    # branch), so we make some exceptions for them.
+    # Major updates and dependencies excluded by the above groups are still
+    # managed, but they'll create one PR per dependency, as breakage is
+    # expected, so it might need manual intervention.
+    # Finally, we group some dependencies that are related to each other, and
+    # usually need to be updated together.
     groups:
-      required:
-        dependency-type: "production"
+      patch:
         update-types:
-          - "minor"
           - "patch"
-      optional:
-        dependency-type: "development"
+        exclude-patterns:
+          # pydoclint has shipped breaking changes in patch updates often
+          - "pydoclint"
+      minor:
         update-types:
           - "minor"
-          - "patch"
+        exclude-patterns:
+          - "async-solipsism"
+          - "frequenz-repo-config*"
+          - "markdown-callouts"
+          - "mkdocs-gen-files"
+          - "mkdocs-literate-nav"
+          - "mkdocstrings*"
+          - "pydoclint"
+          - "pytest-asyncio"
+      # We group repo-config updates as it uses optional dependencies that are
+      # considered different dependencies otherwise, and will create one PR for
+      # each if we don't group them.
+      repo-config:
+        patterns:
+          - "frequenz-repo-config*"
+      mkdocstrings:
+        patterns:
+          - "mkdocstrings*"
 
   - package-ecosystem: "github-actions"
     directory: "/"
