close
Skip to content

Several improvements to the Dependabot configuration#78536

Merged
desrosj merged 3 commits into
trunkfrom
add/cooldown-period-to-dependabot
May 22, 2026
Merged

Several improvements to the Dependabot configuration#78536
desrosj merged 3 commits into
trunkfrom
add/cooldown-period-to-dependabot

Conversation

@desrosj
Copy link
Copy Markdown
Member

@desrosj desrosj commented May 22, 2026

What?

This PR makes a handful of changes to the Dependabot file that is currently configured to prepare updates for the GitHub Actions ecosystem.

  • A default cooldown period of 7 days is being added.
  • The group configuration has been updated to only target minor and patch updates (major version updates will each get their own isolated pull request).
  • The limitation for number of concurrent pull requests at a given time has been raised from 10 to 20 (there are currently 21 unique third-party GitHub Actions being used).

Why?

  • The cooldown value helps to guard against scenarios where a dependency is updated too soon after initial release, which could possibly result in falling victim to a supply chain attack.
  • When major releases are mixed in with minor and patch updates, major versions that require broader action to be taken before being merged often block minor and patch updates.

Use of AI Tools

None.

desrosj added 3 commits May 21, 2026 21:19
@desrosj
Increase the Dependabot open pull request limit.
da4c636
@desrosj
Improve the group settings for GitHub Actions.
da12d9d 
This removes the `'*'` pattern, which is not necessary (all dependencies is the default).

It also adjusts the group configuration to exclude the major and security updates from grouping to ensure they each have an individual pull request. This allows for deeper review of larger and potentially breaking changes without blocking minor, patch, or security updates.
@desrosj
Configure a default cooldown.
5cc9e09
@desrosj desrosj self-assigned this May 22, 2026
@desrosj desrosj added the [Type] Build Tooling Issues or PRs related to build tooling label May 22, 2026
@desrosj desrosj requested review from Copilot and johnbillion May 22, 2026 01:41
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s Dependabot configuration for the github-actions ecosystem to better control update timing and PR organization.

Changes:

  • Increased the concurrent Dependabot PR limit from 10 to 20.
  • Added a default 7-day cooldown window before opening PRs for newly released versions.
  • Adjusted grouping to only include minor/patch updates (so major updates are isolated).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/dependabot.yml
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: desrosj <[email protected]>
Co-authored-by: johnbillion <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@desrosj desrosj moved this from Backlog to In review in WordPress Project Build Tooling May 22, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

Flaky tests detected in 5cc9e09.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/26263469362
📝 Reported issues:

@desrosj desrosj added the props-bot Manually triggers Props Bot to ensure the list of props is up to date. label May 22, 2026
@github-actions github-actions Bot removed the props-bot Manually triggers Props Bot to ensure the list of props is up to date. label May 22, 2026
@desrosj desrosj merged commit db03118 into trunk May 22, 2026
58 of 62 checks passed
@desrosj desrosj deleted the add/cooldown-period-to-dependabot branch May 22, 2026 16:09
@github-actions github-actions Bot added this to the Gutenberg 23.3 milestone May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@johnbillion johnbillion johnbillion approved these changes

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@desrosj desrosj

Labels

[Type] Build Tooling Issues or PRs related to build tooling

Projects

WordPress Project Build Tooling
Status: Done

Milestone

Gutenberg 23.3

Development

Successfully merging this pull request may close these issues.

4 participants

@desrosj @johnbillion