Skip to content

[MAINT]: Group github-actions minor/patch Dependabot updates#112

Open
nina-msft wants to merge 1 commit into
microsoft:mainfrom
nina-msft:nina-msft-dependabot-group-github-actions
Open

[MAINT]: Group github-actions minor/patch Dependabot updates#112
nina-msft wants to merge 1 commit into
microsoft:mainfrom
nina-msft:nina-msft-dependabot-group-github-actions

Conversation

@nina-msft

Copy link
Copy Markdown
Contributor

What

Adds a minor-and-patch group to the github-actions ecosystem in .github/dependabot.yml, mirroring the existing uv ecosystem configuration.

  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    commit-message:
      prefix: "[MAINT]"
    groups:
      minor-and-patch:
        update-types:
          - minor
          - patch

Why

Without a version-update group, Dependabot opens one PR per dependency for the github-actions ecosystem. Because github/codeql-action/init and github/codeql-action/analyze are distinct dependency names, a single action upgrade gets split into two PRs (e.g. #107 and #109 for 4.36.2 → 4.37.0).

CodeQL requires the init and analyze steps to run the same version, so each split PR on its own leaves codeql.yml with mismatched versions and fails CI with a configuration error:

Loaded a configuration file for version '4.36.2', but running version '4.37.0'

Grouping combines both bumps into a single PR/commit, so the workflow is never left in a mismatched state.

Effect

Notes

  • Config-only change; no code or workflow behavior is affected.
  • Scoped to minor and patch updates, consistent with the uv ecosystem group already in this file.

Add a minor-and-patch group to the github-actions ecosystem so minor
and patch action updates are combined into a single pull request,
alongside the existing security-minor-and-patch group and mirroring the
uv ecosystem configuration.

This prevents Dependabot from splitting a single action upgrade (such
as github/codeql-action init and analyze) into separate PRs, which
leaves the workflow with mismatched action versions and fails CI.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@nina-msft nina-msft force-pushed the nina-msft-dependabot-group-github-actions branch from c6138c1 to a5fc22f Compare July 10, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant