92ed9d50e9
We have grouped security updates enabled by default at the org level, however when a repo defines its own `dependabot.yml` it will override the org's defaults. We don't currently define any grouping for security updates, hence why we have so many outstanding dependabot PRs. This adds 3 new groups: * A security group, to re-enable grouped security updates. * A docker group, to bump core Docker dependencies like buildx, buildkit, etc. * An "other" group as a catch-all for everything else. AFAICT there's no way to have Dependabot _only_ bump versions for Pulumi & Docker dependencies, so just dump everything else in here. The existing pulumi group stopped receiving updates for some reason but [seems to be working](https://github.com/pulumi/pulumi-docker-build/pull/111) again after I re-opened one of the closed PRs.
25 lines
482 B
YAML
25 lines
482 B
YAML
version: 2
|
|
updates:
|
|
- package-ecosystem: gomod
|
|
directory: /
|
|
schedule:
|
|
interval: daily
|
|
groups:
|
|
pulumi:
|
|
patterns:
|
|
- "github.com/pulumi/*"
|
|
docker:
|
|
patterns:
|
|
- "github.com/docker/*"
|
|
- "github.com/moby/*"
|
|
security:
|
|
applies-to: security-updates
|
|
patterns:
|
|
- "*"
|
|
other:
|
|
patterns:
|
|
- "*"
|
|
labels:
|
|
- dependencies
|
|
- impact/no-changelog-required
|