1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Please see the documentation for all configuration options:
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
# GitHub Actions updates
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Asia/Hong_Kong"
# Group related updates together
groups:
github-actions:
patterns:
- "*"
update-types:
- "minor"
- "patch"
labels:
- "dependencies"
- "github-actions"
target-branch: "main"
# Rust/Cargo updates
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "Asia/Hong_Kong"
# Group related updates to reduce PR noise
groups:
# Production dependencies - minor/patch updates
cargo-production:
dependency-type: "production"
update-types:
- "minor"
- "patch"
exclude-patterns:
- "tokio*"
- "clap*"
- "reqwest*"
# Major updates - separate PRs for review
cargo-major:
dependency-type: "production"
update-types:
- "major"
labels:
- "dependencies"
- "rust"
target-branch: "main"
# Allow up to 10 open PRs (to avoid overwhelming)
open-pull-requests-limit: 10
# Auto-rebase when base branch changes
rebase-strategy: "auto"
# Versioning strategy for Cargo
versioning-strategy: "lockfile-only"