Pac-Man/.github/dependabot.yml

# Dependabot Configuration
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
#
# Strategy:
# - Weekly checks for faster vulnerability detection
# - Separate patch/minor/major updates to prevent blocking
# - Group by crate (game vs server) for easier review
# - Auto-merge patches via GitHub branch protection rules
# - Limit concurrent PRs to avoid spam

version: 2
updates:
  # Game: Patch updates (auto-mergeable)
  - package-ecosystem: "cargo"
    directory: "/pacman"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      game-patches:
        applies-to: "version-updates"
        update-types:
          - "patch"
    ignore:
      # Bevy ECS 0.17+ requires API migration - ignore until manual update
      - dependency-name: "bevy_ecs"
        versions: ["0.17.x", "0.18.x", "0.19.x"]
    labels:
      - "dependencies"
      - "dependencies:patch"
      - "game"

  # Game: Minor updates (grouped, manual review)
  - package-ecosystem: "cargo"
    directory: "/pacman"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      game-minor:
        applies-to: "version-updates"
        update-types:
          - "minor"
    ignore:
      - dependency-name: "bevy_ecs"
        versions: ["0.17.x", "0.18.x", "0.19.x"]
    labels:
      - "dependencies"
      - "dependencies:minor"
      - "game"

  # Game: Major updates (separate PRs, manual review)
  - package-ecosystem: "cargo"
    directory: "/pacman"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      game-major:
        applies-to: "version-updates"
        update-types:
          - "major"
    ignore:
      - dependency-name: "bevy_ecs"
        versions: ["0.17.x", "0.18.x", "0.19.x"]
    labels:
      - "dependencies"
      - "dependencies:major"
      - "game"

  # Server: Patch updates (auto-mergeable)
  - package-ecosystem: "cargo"
    directory: "/pacman-server"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      server-patches:
        applies-to: "version-updates"
        update-types:
          - "patch"
    ignore:
      # jsonwebtoken 10+ requires crypto backend feature flag - ignore until manual migration
      - dependency-name: "jsonwebtoken"
        versions: ["10.x", "11.x"]
    labels:
      - "dependencies"
      - "dependencies:patch"
      - "server"

  # Server: Minor updates (grouped, manual review)
  - package-ecosystem: "cargo"
    directory: "/pacman-server"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      server-minor:
        applies-to: "version-updates"
        update-types:
          - "minor"
    ignore:
      - dependency-name: "jsonwebtoken"
        versions: ["10.x", "11.x"]
    labels:
      - "dependencies"
      - "dependencies:minor"
      - "server"

  # Server: Major updates (separate PRs, manual review)
  - package-ecosystem: "cargo"
    directory: "/pacman-server"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      server-major:
        applies-to: "version-updates"
        update-types:
          - "major"
    ignore:
      - dependency-name: "jsonwebtoken"
        versions: ["10.x", "11.x"]
    labels:
      - "dependencies"
      - "dependencies:major"
      - "server"

  # Frontend: Patch updates (auto-mergeable)
  - package-ecosystem: "npm"
    directory: "/web"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      frontend-patches:
        applies-to: "version-updates"
        update-types:
          - "patch"
    labels:
      - "dependencies"
      - "dependencies:patch"
      - "frontend"

  # Frontend: Minor updates (grouped, manual review)
  - package-ecosystem: "npm"
    directory: "/web"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      frontend-minor:
        applies-to: "version-updates"
        update-types:
          - "minor"
    labels:
      - "dependencies"
      - "dependencies:minor"
      - "frontend"

  # Frontend: Major updates (separate PRs for critical deps)
  - package-ecosystem: "npm"
    directory: "/web"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      frontend-major-framework:
        applies-to: "version-updates"
        update-types:
          - "major"
        patterns:
          - "react"
          - "react-dom"
          - "vike"
          - "vite"
    labels:
      - "dependencies"
      - "dependencies:major"
      - "frontend"
      - "framework"

  # Frontend: Other major updates (grouped)
  - package-ecosystem: "npm"
    directory: "/web"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      frontend-major-other:
        applies-to: "version-updates"
        update-types:
          - "major"
        exclude-patterns:
          - "react"
          - "react-dom"
          - "vike"
          - "vite"
    labels:
      - "dependencies"
      - "dependencies:major"
      - "frontend"

  # GitHub Actions: All updates grouped (low risk)
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      github-actions:
        patterns:
          - "*"
    labels:
      - "dependencies"
      - "github-actions"