Fix dependabot configuration

Apply correct labeling and filtering for security updates.
apache · Nov 21, 2024 · ef4cdd5 · ef4cdd5
1 parent 7d33d93
commit ef4cdd5
Showing 1 changed file with 34 additions and 18 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,13 +9,21 @@ updates:
   # This configuration is used for security-critical dependency updates.
   - package-ecosystem: "gradle"
     directory: "/"
+    # Add target-branch as a workaround to allow two configurations of
+    # the same package-ecosystem, directory and branch
+    target-branch: main
     schedule:
       interval: "daily"
     commit-message:
       prefix: "[SECURITY]"
     labels:
       - "dependencies"
-      - "security"
+      - "cat:security"
+    groups:
+      all-dependencies:
+        applies-to: security-updates
+        patterns:
+          - "*"
 
   # 2. Non-security updates (bi-weekly, max 100 PRs)
   # This configuration is used for regular dependency updates.
@@ -30,38 +38,46 @@ updates:
       prefix: "[DEPENDENCY]"
     labels:
       - "dependencies"
-      - "non-security"
     open-pull-requests-limit: 100
     groups:
       # Group calcite dependencies together in same PR
       calcite:
+        applies-to: version-updates
         patterns:
           - "org.apache.calcite*"
       # Group httpcomponents dependencies together in same PR
       httpcomponents:
+        applies-to: version-updates
         patterns:
           - "org.apache.httpcomponents*"
+      all-dependencies:
+        applies-to: version-updates
+        patterns:
+          - "*"
     ignore:
       # Ignore noisy dependencies in weekly checks
-      - dependency-name: "software.amazon.awssdk*"
-      - dependency-name: "com.google.cloud*"
+      # TODO Enable ignores after https://github.com/dependabot/dependabot-core/issues/1778
+      #- dependency-name: "software.amazon.awssdk*"
+      #- dependency-name: "com.google.cloud*"
       # Ignore major version upgrades for Jetty (requires manual update)
       - dependency-name: "org.eclipse.jetty*"
         update-types: ["version-update:semver-major"]
 
+  # TODO Enable "noisy updates" configuration once
+  # https://github.com/dependabot/dependabot-core/issues/1778 is fixed
+
   # 3. Noisy non-security updates (monthly, max 100 PRs)
   # This configuration is used for all dependencies with very frequent updates.
-  - package-ecosystem: "gradle"
-    directory: "/"
-    schedule:
-      interval: "monthly"
-    commit-message:
-      prefix: "[DEPENDENCY]"
-    labels:
-      - "dependencies"
-      - "non-security"
-    open-pull-requests-limit: 100
-    allow:
-      #  Dependencies added here have to be ignored in 2. configuration
-      - dependency-name: "software.amazon.awssdk*"
-      - dependency-name: "com.google.cloud*"
+#  - package-ecosystem: "gradle"
+#    directory: "/"
+#    schedule:
+#      interval: "monthly"
+#    commit-message:
+#      prefix: "[DEPENDENCY]"
+#    labels:
+#      - "dependencies"
+#    open-pull-requests-limit: 100
+#    allow:
+#      #  Dependencies added here have to be ignored in 2. configuration
+#      - dependency-name: "software.amazon.awssdk*"
+#      - dependency-name: "com.google.cloud*"