Skip to content

Group Dependabot updates into a single update block#2571

Open
joperezr wants to merge 6 commits into
mainfrom
joperezr/dependabot-grouped-updates
Open

Group Dependabot updates into a single update block#2571
joperezr wants to merge 6 commits into
mainfrom
joperezr/dependabot-grouped-updates

Conversation

@joperezr

@joperezr joperezr commented Jun 11, 2026
edited by dotnet-policy-service Bot
Loading

Copy link
Copy Markdown
Member

Summary

Replaces the 17 per-directory nuget update blocks in .github/dependabot.yml with a single update block that uses the directories: (plural) field and bundles related package updates into grouped PRs.

Motivation

Looking at Dependabot activity from the last ~7 weeks, the repo was getting 7–10 PRs per Wednesday, mostly from the same families of packages bumping together (e.g. Microsoft.DotNet.Arcade.Sdk + Helix.Sdk + GenAPI every week, and the System.* / Microsoft.Extensions.* packages every .NET monthly release).

Grouping strategy

Group Patterns Why
arcade Microsoft.DotNet.*, Microsoft.Build.Traversal Always shipped together as part of Arcade
dotnet-runtime System.*, Microsoft.Extensions.* Ship together on the .NET monthly release train
xunit xunit, xunit.* Main package + runners + analyzers update together
skiasharp SkiaSharp, SkiaSharp.* Native asset package must bump with the main one
other-minor-patch * minus the above Catch-all (e.g. UnitsNet, Microsoft.CodeAnalysis.*)

Major bumps are intentionally excluded from the groups (only minor / patch are grouped). Majors will still get individual PRs so breaking changes can be reviewed in isolation — matching the pattern we already follow when closing things like the SkiaSharp 2.x → 3.x jump.

Expected outcome

  • ~5 grouped PRs max per Wednesday instead of 7–10 individual ones.
  • No more per-directory duplication of the same package bump.
  • open-pull-requests-limit raised from 5 to 10 to leave headroom for ungrouped majors arriving alongside the groups.

Notes

  • The full list of 17 directories is preserved verbatim (no scope expansion or surprise additions). Switching to globs (e.g. /src/devices/*/tests) could be a follow-up if desired.
  • Reference: Dependabot groups docs
Microsoft Reviewers: Open in CodeFlow

joperezr and others added 6 commits June 11, 2026 08:38
@joperezr
Group Dependabot updates into a single update block
a94652b 
Replace the 17 per-directory update blocks with a single block that uses
the directories: (plural) field and 5 groups (arcade, dotnet-runtime,
xunit, skiasharp, and an other-minor-patch catch-all). Major bumps stay
ungrouped so breaking changes get individual review.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@joperezr
Use globs for dependabot directories
83ae1f6 
Replaces the explicit (and incomplete) directory list with globs:
  /samples/*, /src/devices/*/tests, /src/devices/*/samples.
This auto-tracks new device/sample projects instead of requiring
manual updates to dependabot.yml. Scope expansion: samples 5 -> 10,
device tests 8 -> 27, device samples 1 -> ~120.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@joperezr
Scan entire repo, excluding /eng/common
fd11f74 
Replace the curated directory globs with a single recursive /** entry
and a negated /eng/common/** exclusion. The previous lists were
incomplete and dropping new projects was a latent bug.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@joperezr
Collapse to a single group; ignore arcade entirely
098fd2e 
Arcade (Microsoft.DotNet.*) is updated via the arcade flow, not
Dependabot. Everything else (minor/patch) is bundled into one
all-dependencies group per week; majors still fall out as individual
PRs for breaking-change review.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@joperezr
Drop open-pull-requests-limit back to 5
0227e3a 
With one group + arcade ignored, the expected steady state is 1 grouped
PR per week plus the occasional major. 10 was leftover from when we had
5 separate groups; 5 (the original value) is plenty.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@joperezr
Group .NET runtime majors together
e93bfc6 
System.* and Microsoft.Extensions.* ship on the .NET release train, so a
major bump (e.g. 9.x -> 10.x) lands across all of them at the same time
and is best reviewed as a single PR. Move them into a dedicated
dotnet-runtime group with no update-types restriction; the all-dependencies
catch-all stays minor/patch-only for everything else.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@joperezr joperezr marked this pull request as ready for review June 11, 2026 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raffaeler raffaeler raffaeler approved these changes

@pgrawehr pgrawehr pgrawehr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joperezr @raffaeler @pgrawehr