Skip to content

ci: reduce dependabot spam #7078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mholt merged 3 commits into from
Jul 24, 2025
Merged

ci: reduce dependabot spam #7078

mholt merged 3 commits into from
Jul 24, 2025

Conversation

@mohammed90
Copy link
Member

@mohammed90 mohammed90 commented Jun 16, 2025

This should address the noise reported in #7077

@mohammed90
ci: reduce dependabot spam
874af50 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
@mohammed90 mohammed90 requested a review from mholt June 16, 2025 22:36
@mohammed90 mohammed90 added the CI/CD 🔩 Automated tests, releases label Jun 16, 2025
@mohammed90 mohammed90 mentioned this pull request Jun 16, 2025
Closed
@mholt
Copy link
Member

mholt commented Jun 18, 2025

Thanks! But, uh, won't this actually just pile up all the noise for a big dump monthly? 😅

@mohammed90
Copy link
Member Author

mohammed90 commented Jun 18, 2025

Well, want to do weekly? I dislike dependabot as much as you do, but... I don't know man, FOSS brownie points oughta be collected 🫠

@mholt
Copy link
Member

mholt commented Jun 18, 2025

Haha... well... I guess I just kind of want to update dependencies either:

  • In one PR, but I want to be able to have the bot make changes to specific dependencies
  • Or just when we choose to upgrade them. If there's a security significant release, maybe it can notify us of that in an issue instead?

What do you think?

@mohammed90
Copy link
Member Author

mohammed90 commented Jun 19, 2025

Haha... well... I guess I just kind of want to update dependencies either:

* In one PR, but I want to be able to have the bot make changes to specific dependencies

* Or just when we choose to upgrade them. If there's a _security_ significant release, maybe it can notify us of that in an issue instead?

What do you think?

That sounds good. I like it. I think Renovate is more suited for this flow. I see we can configure it to do the following:

  • We can configure it to ignore indirect deps (add a packageRule with matchDepTypes having indirect and enabled set to false)
  • Group all PRs into 1 (ref)
  • Creates a "Dependency Dashbaord" issue waiting for our instruction (see live example: Dependency Dashboard hacdias/webdav#238 -- sorry for the notification hacdias 🙂 )

Its configuration seems more convoluted though, or maybe that's just my unfamiliarity speaking.

@mholt
Copy link
Member

mholt commented Jul 15, 2025

It sounds like Dependabot might have recently added support for "multi-ecosystem" in a single PR, I wonder if it could work for single ecosystem too.

@mohammed90
Copy link
Member Author

mohammed90 commented Jul 15, 2025

Great! Seeing the incoming PRs for the past period, I feel like I should configure it to group them as:

  • Caddy deps
  • GitHub Actions

So CI updates are only CI upgrades, and the same for core project deps.

@mohammed90
group actions deps
8ed2434 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
@mohammed90
Merge branch 'master' into dependabot-spam
99c0efd
mholt
mholt approved these changes Jul 24, 2025
View reviewed changes
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rock on, let's give this a shot! Thanks for figuring this out!

@mholt mholt merged commit b7ae39e into master Jul 24, 2025
26 checks passed
@mholt mholt deleted the dependabot-spam branch July 24, 2025 22:40
@BrewTestBot BrewTestBot mentioned this pull request Aug 22, 2025
Merged
1 task
@francislavoie francislavoie added this to the v2.10.1 milestone Aug 22, 2025
mohammed90 added a commit to cedricziel/caddy that referenced this pull request Aug 29, 2025
@mohammed90
ci: reduce dependabot spam (caddyserver#7078)
852603c 
* ci: reduce dependabot spam

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* group actions deps

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mholt mholt mholt approved these changes

Assignees

No one assigned

Labels

CI/CD 🔩 Automated tests, releases

Projects

None yet

Milestone

v2.10.1

Development

Successfully merging this pull request may close these issues.

3 participants

@mohammed90 @mholt @francislavoie