From 80d11b2fe35f1783552da5b1bd604f8119acf6f9 Mon Sep 17 00:00:00 2001 From: "Aaron K. Clark" Date: Tue, 19 May 2026 09:25:39 -0500 Subject: [PATCH] chore(dependabot): group github-actions + docker bumps like npm does MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The npm ecosystem already bundles minor+patch dependency bumps into a single weekly PR via a `minor-and-patch` group — keeps the PR queue from fragmenting when several deps tick at once. The github-actions and docker ecosystems didn't have the same group, so every action / base-image patch was landing as its own PR. Add the same group to both, matching the existing pattern. Majors still land as separate PRs because a base-image major bump (node:26 → node:28 etc.) or a checkout-action major can carry a breaking change worth a focused review. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 925fa72..eb1f9d3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -49,6 +49,16 @@ updates: - ci commit-message: prefix: "chore(actions)" + groups: + # Same rationale as the npm group: bundle non-major action + # bumps into a single weekly PR so the queue doesn't fragment. + # Majors stay separate (e.g. actions/checkout v4 → v5 deserves + # a focused review). + minor-and-patch: + applies-to: version-updates + update-types: + - "minor" + - "patch" - package-ecosystem: docker directory: "/" @@ -62,3 +72,13 @@ updates: - docker commit-message: prefix: "chore(docker)" + groups: + # Base-image patch/minor bumps (node:26-bookworm-slim point + # releases, postgres:16-alpine point releases) bundle so we + # get one weekly Docker PR. Major-version base-image bumps + # remain isolated. + minor-and-patch: + applies-to: version-updates + update-types: + - "minor" + - "patch"