From 92ed9d50e9e2ae5437b24ea9f0fa446b9ed72b96 Mon Sep 17 00:00:00 2001
From: Bryce Lampe <bryce@pulumi.com>
Date: Tue, 18 Jun 2024 12:43:28 -0700
Subject: [PATCH] Re-enable grouping for dependabot security updates (#112)

We have grouped security updates enabled by default at the org level,
however when a repo defines its own `dependabot.yml` it will override
the org's defaults. We don't currently define any grouping for security
updates, hence why we have so many outstanding dependabot PRs.

This adds 3 new groups:
* A security group, to re-enable grouped security updates.
* A docker group, to bump core Docker dependencies like buildx,
buildkit, etc.
* An "other" group as a catch-all for everything else. AFAICT there's no
way to have Dependabot _only_ bump versions for Pulumi & Docker
dependencies, so just dump everything else in here.

The existing pulumi group stopped receiving updates for some reason but
[seems to be
working](https://github.com/pulumi/pulumi-docker-build/pull/111) again
after I re-opened one of the closed PRs.
---
 .github/dependabot.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 3332f19..0fed56c 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,6 +8,17 @@ updates:
       pulumi:
         patterns:
           - "github.com/pulumi/*"
+      docker:
+        patterns:
+          - "github.com/docker/*"
+          - "github.com/moby/*"
+      security:
+        applies-to: security-updates
+        patterns:
+          - "*"
+      other:
+        patterns:
+          - "*"
     labels:
       - dependencies
       - impact/no-changelog-required