diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e1c1b44..900c5ef 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,20 +1,227 @@ +# Dependabot Configuration # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates +# +# Strategy: +# - Weekly checks for faster vulnerability detection +# - Separate patch/minor/major updates to prevent blocking +# - Group by crate (game vs server) for easier review +# - Auto-merge patches via GitHub branch protection rules +# - Limit concurrent PRs to avoid spam version: 2 updates: + # Game: Patch updates (auto-mergeable) - package-ecosystem: "cargo" - directory: "/" + directory: "/pacman" schedule: - interval: "monthly" + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 groups: - dependencies: + game-patches: + applies-to: "version-updates" + update-types: + - "patch" + ignore: + # Bevy ECS 0.17+ requires API migration - ignore until manual update + - dependency-name: "bevy_ecs" + versions: ["0.17.x", "0.18.x", "0.19.x"] + labels: + - "dependencies" + - "dependencies:patch" + - "game" + + # Game: Minor updates (grouped, manual review) + - package-ecosystem: "cargo" + directory: "/pacman" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + game-minor: + applies-to: "version-updates" + update-types: + - "minor" + ignore: + - dependency-name: "bevy_ecs" + versions: ["0.17.x", "0.18.x", "0.19.x"] + labels: + - "dependencies" + - "dependencies:minor" + - "game" + + # Game: Major updates (separate PRs, manual review) + - package-ecosystem: "cargo" + directory: "/pacman" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + game-major: + applies-to: "version-updates" + update-types: + - "major" + ignore: + - dependency-name: "bevy_ecs" + versions: ["0.17.x", "0.18.x", "0.19.x"] + labels: + - "dependencies" + - "dependencies:major" + - "game" + + # Server: Patch updates (auto-mergeable) + - package-ecosystem: "cargo" + directory: "/pacman-server" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + server-patches: + applies-to: "version-updates" + update-types: + - "patch" + ignore: + # jsonwebtoken 10+ requires crypto backend feature flag - ignore until manual migration + - dependency-name: "jsonwebtoken" + versions: ["10.x", "11.x"] + labels: + - "dependencies" + - "dependencies:patch" + - "server" + + # Server: Minor updates (grouped, manual review) + - package-ecosystem: "cargo" + directory: "/pacman-server" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + server-minor: + applies-to: "version-updates" + update-types: + - "minor" + ignore: + - dependency-name: "jsonwebtoken" + versions: ["10.x", "11.x"] + labels: + - "dependencies" + - "dependencies:minor" + - "server" + + # Server: Major updates (separate PRs, manual review) + - package-ecosystem: "cargo" + directory: "/pacman-server" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + server-major: + applies-to: "version-updates" + update-types: + - "major" + ignore: + - dependency-name: "jsonwebtoken" + versions: ["10.x", "11.x"] + labels: + - "dependencies" + - "dependencies:major" + - "server" + + # Frontend: Patch updates (auto-mergeable) + - package-ecosystem: "npm" + directory: "/web" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + frontend-patches: + applies-to: "version-updates" + update-types: + - "patch" + labels: + - "dependencies" + - "dependencies:patch" + - "frontend" + + # Frontend: Minor updates (grouped, manual review) + - package-ecosystem: "npm" + directory: "/web" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + frontend-minor: + applies-to: "version-updates" + update-types: + - "minor" + labels: + - "dependencies" + - "dependencies:minor" + - "frontend" + + # Frontend: Major updates (separate PRs for critical deps) + - package-ecosystem: "npm" + directory: "/web" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + frontend-major-framework: + applies-to: "version-updates" + update-types: + - "major" patterns: - - "*" + - "react" + - "react-dom" + - "vike" + - "vite" + labels: + - "dependencies" + - "dependencies:major" + - "frontend" + - "framework" + + # Frontend: Other major updates (grouped) + - package-ecosystem: "npm" + directory: "/web" + schedule: + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 + groups: + frontend-major-other: + applies-to: "version-updates" + update-types: + - "major" + exclude-patterns: + - "react" + - "react-dom" + - "vike" + - "vite" + labels: + - "dependencies" + - "dependencies:major" + - "frontend" + + # GitHub Actions: All updates grouped (low risk) - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "monthly" + interval: "weekly" + day: "monday" + open-pull-requests-limit: 5 groups: - dependencies: + github-actions: patterns: - "*" + labels: + - "dependencies" + - "github-actions"