1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
version: 2
updates:
# Rust crate dependencies (Cargo.toml + Cargo.lock).
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
labels:
- "dependencies"
- "rust"
commit-message:
prefix: "chore(deps)"
include: "scope"
groups:
# Bundle dev-dep updates together — RocksDB / SQLite / proptest
# / criterion bumps don't ship to users, so one combined PR is
# less noise than five.
dev-deps:
dependency-type: "development"
# GitHub Actions workflow dependencies (uses: actions/*@vX, etc).
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 3
labels:
- "dependencies"
- "ci"
commit-message:
prefix: "chore(ci)"
include: "scope"
ignore:
# `dtolnay/rust-toolchain@1.82` is NOT a regular action version
# bump — the tag IS our MSRV. The MSRV CI job must keep
# pinning to whatever version Cargo.toml's `rust-version`
# says (currently 1.82). Bumping it would silently invalidate
# the MSRV claim. MSRV changes go through a deliberate
# Cargo.toml + dependabot.yml + this tag bump in one PR.
- dependency-name: "dtolnay/rust-toolchain"