[Feature Request]: Improve dependabot.yml for better automated package management
Closed this issue · 2 comments
doganozturk commented
Describe the problem or use case
The current dependabot.yml configuration is very simple. Many PRs are being opened simultaneously, creating an overhead for managing package updates. We should implement a better solution.
Proposed solution
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
reviewers:
- "Trendyol/baklava"
allow:
- dependency-type: "direct"
rebase-strategy: "auto"
groups:
lit:
patterns:
- "lit"
- "@lit/*"
pre-commit:
patterns:
- "@commitlint/*"
- "lint-staged"
- "husky"
build:
patterns:
- "esbuild"
- "esbuild-plugin-lit-css"
- "minimist"
- "clean-css"
- "del"
- "del-cli"
- "globby"
- "pascal-case"
- "npm-run-all"
- "@custom-elements-manifest/analyzer"
test:
patterns:
- "@open-wc/*"
- "@web/*"
- "sinon"
- "rollup-plugin-lit-css"
- "@rollup/plugin-replace"
lint-and-format:
patterns:
- "eslint*"
- "@typescript-eslint/*"
- "prettier"
- "@trivago/prettier-plugin-sort-imports"
- "@types/*"
- "stylelint*"
typescript:
patterns:
- "typescript"
- "ts-lit-plugin"
storybook:
patterns:
- "storybook"
- "@storybook/*"
- "chromatic"
react:
patterns:
- "react"
- "react-dom"
- "@lit-labs/react"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
reviewers:
- "Trendyol/baklava"
rebase-strategy: "auto"
### Alternatives considered
_No response_
### Additional technical context
- Continue with the weekly interval for npm and GitHub Actions, as before.
- There will be a max of 5 open PRs for both ecosystems at the same time. (Currently, there is no limit)
- Assign random reviewers directly under the Trendyol/baklava team. (Currently, no reviewers are assigned)
- PRs will only be opened for updates to direct dependencies that are referenced in our package.json. (Currently, security and version update PRs are also opened for indirect dependencies in package-lock.json)
- Opened PRs will auto-rebase when the next branch is updated. (Currently, this does not happen)
- For npm updates, related packages will be grouped together, and updates within the group will be done in a single PR. I tried to create logical groupings based on function, but you may find this to be overkill. Let's keep or remove it based on your comments.
- Although we trust our verification process, I have not activated automerge yet. We can consider activating it in the future if it proves reliable.
- PRs will be opened for major, minor, and patch updates. There may be breakages due to major updates, but at least we'll see them and can take action by adding tasks to the roadmap.
github-actions commented
🎉 This issue has been resolved in version 3.0.0-beta.25 🎉
The release is available on:
Your semantic-release bot 📦🚀
github-actions commented
🎉 This issue has been resolved in version 3.2.0 🎉
The release is available on:
Your semantic-release bot 📦🚀