Tags: #dependencies
# Example configuration that's quite detailed in its approach.
# .github/dependabot.yaml
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
day: monday
interval: weekly
time: "13:00"
open-pull-requests-limit: 10
groups:
version-bumps:
applies-to: version-updates
update-types: ["minor", "patch"]
- package-ecosystem: gomod
directory: "/"
schedule:
interval: weekly
time: "12:00"
open-pull-requests-limit: 10
groups:
# Always create a separate PR for zonedb updates
zonedb-only:
patterns:
- "github.com/zonedb/zonedb"
# Create a grouped PR specifically for fastly dependencies.
fastly-modules:
applies-to: version-updates
patterns:
- "github.com/fastly"
# Create a grouped PR for all go.mod dependencies that have a minor or
# patch version updates. All major updates will be separate PRs.
external-modules:
applies-to: version-updates
update-types: ["minor", "patch"]
exclude-patterns:
- "github.com/zonedb/zonedb"
- "github.com/fastly"
- package-ecosystem: terraform
# specify directories for dependabot to monitor for updating
# directories allows the use wildcard and globbing, which is needed because infrastructure contains many layers of subdirectories
# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#directories-or-directory--
directories:
- "/infrastructure" # files within the directory
- "/infrastructure/**/*" # subdirectories
schedule:
day: monday
interval: weekly
time: "13:00" # 5am Pacific
open-pull-requests-limit: 10
groups:
version-bumps:
applies-to: version-updates
update-types: ["minor", "patch"]