Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grouping dependencies for dependabot PR #2152

Open
1 task
ruanxin opened this issue Dec 27, 2024 · 0 comments
Open
1 task

Grouping dependencies for dependabot PR #2152

ruanxin opened this issue Dec 27, 2024 · 0 comments
Assignees
@amritanshusikdar
Labels
area/quality Related to all activites around quality

Comments

@ruanxin
Copy link
Contributor

ruanxin commented Dec 27, 2024
edited by janmedrek
Loading

By default, the dependabot create individual PR for each dependency, after one get merged, all others have to be updated and go through all tests again, which brings longer waiting time for keep them up-to-date, worse case is some dependeded library not get updated in one batch, it may brings inconsistencies, for example. the k8s.io related libraries.

For this concern, actually dependabot configuration has introduced groups concept since 2023 which can group dependencies by naming patterns.

Now, in your dependabot.yml configuration file, you can set custom grouping rules for Dependabot based on pattern matching on package name. Here is an example of how these rules can be set up:

version: 2
  updates:
  - package-ecosystem: "bundler"
    directory: "/"
    schedule:
      interval: weekly
    # New!
    groups:
      # This is the name of your group, it will be used in PR titles and branch names
      dev-dependencies:
        # A pattern can be...
        patterns:
          - "rubocop" # a single dependency name
          - "aws*"  # or a wildcard string that matches multiple dependencies
          # If you'd simply like to group as many dependencies together as possible, 
          # you can use the wildcard * - but keep in mind this may open a very large PR!
        # Additionally, you can specify any dependencies to be excluded from the group
        exclude-patterns:
          - "aws-sdk"

This configuration applies to regularly scheduled Dependabot version updates only. Security updates for Dependabot will continue to open as individual pull requests, even if they match a configured grouping rule.

group candidates

	k8s.io/api v0.32.0
	k8s.io/apiextensions-apiserver v0.32.0
	k8s.io/apimachinery v0.32.0
	k8s.io/cli-runtime v0.32.0
	k8s.io/client-go v0.32.0
	k8s.io/kubectl v0.32.0

	istio.io/api v1.24.2
	istio.io/client-go v1.24.2

        github.com/onsi/ginkgo/v2
        github.com/onsi/gomega

Reference

https://github.blog/news-insights/product-news/a-faster-way-to-manage-version-updates-with-dependabot/

AC

  • introduce groups to all managed repo
@ruanxin ruanxin added the area/quality Related to all activites around quality label Dec 27, 2024
@amritanshusikdar amritanshusikdar self-assigned this Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amritanshusikdar amritanshusikdar

Labels
area/quality Related to all activites around quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ruanxin @amritanshusikdar