ci: make Dependabot PRs mergeable and consolidate updates into one group#23
Merged
Merged
Conversation
Required status checks (unit, integration) were path-filtered, so any PR not touching s3proxy/tests/pyproject.toml (e.g. Docker base-image or lockfile-only Dependabot PRs) never posted the check and stayed blocked as 'Expected'. Run the test workflow on all PRs so required checks always report.
The split groups filtered by update-types (minor/patch vs major), so requirement-floor bumps that matched neither bucket leaked out as individual PRs (one per dependency), blowing past the PR limit. Use one group with patterns ['*'] and no update-types filter per ecosystem so all updates land in a single PR. Raise the limit to 10 as a safety margin.
ServerSideHannes
changed the title
This was referenced May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two fixes that make Dependabot usable on this repo.
1. Run required tests on all PRs
The
Protect mainruleset requiresunit/integrationto pass, buttest.ymlwas path-filtered. When a required check's workflow is skipped by apaths:filter, GitHub never posts the check — it stays "Expected" and the PR can never merge. This blocked Docker-only and lockfile-only Dependabot PRs (and docs-only PRs). Removing the filter makes the checks always report.2. Collapse Dependabot into a single group
The previous groups filtered by
update-types(minor/patch vs major). Requirement-floor bumps (>=xupdates) matched neither bucket and leaked out as one PR per dependency — that's how 2 grouped PRs became 5+ and hit the open-PR limit. Now each ecosystem uses one catch-all group (patterns: ['*'], noupdate-types), so all updates land in a single PR. Limit raised to 10 as a margin.Note: uv and docker are separate ecosystems, so the most you'll see is one uv PR (+ one docker PR only when the base image changes).