1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "monthly"
day: "monday"
labels:
- "part:tooling"
- "type:tech-debt"
# Default versioning-strategy. For other versioning-strategy see:
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy
versioning-strategy: auto
# Allow up to 10 open pull requests for updates to dependency versions
open-pull-requests-limit: 10
# We group patch updates as they should always work.
# We also group minor updates, as it works too for most libraries,
# typically except libraries that don't have a stable release yet (v0.x.x
# branch), so we make some exceptions for them.
# Major updates and dependencies excluded by the above groups are still
# managed, but they'll create one PR per dependency, as breakage is
# expected, so it might need manual intervention.
# Finally, we group some dependencies that are related to each other, and
# usually need to be updated together.
groups:
patch:
update-types:
- "patch"
exclude-patterns:
# pydoclint has shipped breaking changes in patch updates often
- "pydoclint"
minor:
update-types:
- "minor"
exclude-patterns:
- "async-solipsism"
- "frequenz-api-common"
- "frequenz-repo-config*"
- "grpcio"
- "grpcio-tools"
- "markdown-callouts"
- "mkdocs-gen-files"
- "mkdocs-literate-nav"
- "mkdocstrings*"
- "protobuf"
- "pydoclint"
- "pytest-asyncio"
# We group repo-config updates as it uses optional dependencies that are
# considered different dependencies otherwise, and will create one PR for
# each if we don't group them.
repo-config:
patterns:
- "frequenz-repo-config*"
mkdocstrings:
patterns:
- "mkdocstrings*"
# We group grpcio and protobuf updates together, as they need special
# handling on the pyproject.toml file because of the protobuf/grpcio
# build/runtime cross-version guarantees
grpc:
patterns:
- "grpcio"
- "grpcio-tools"
- "protobuf"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
day: "monday"
labels:
- "part:tooling"
- "type:tech-debt"
groups:
compatible:
update-types:
- "minor"
- "patch"
artifacts:
patterns:
- "actions/*-artifact"
- package-ecosystem: "gitsubmodule"
directory: "/"
# We only want to track updates on google api common because the
# dependencies to other submodules are also indirectly tracked by the
# python dependencies (and because the gitsubmodule dependency tracker
# doesn't support updating only to tags or following semver, see
# https://github.com/dependabot/dependabot-core/issues/1639 for details)
# We do so by explicitly ignoring the other submodules, as `ignore` all
# + `allow` one doesn't seem to work.
ignore:
- dependency-name: "submodules/frequenz-api-common"
schedule:
interval: "monthly"
day: "monday"
labels:
- "part:tooling"
- "type:tech-debt"