Skip to content

ci: deduplicate Dependabot PRs in monorepo via group-by #43

Description

@martyy-code

Problem

Dependabot currently generates 2× PRs per bump for dependencies present in workspaces (apps/web, packages/type-testing). Root cause: the groups block in .github/dependabot.yml lacks group-by: dependency-name, so the same dep in N workspaces → N PRs.

Result: 20 open PRs, ~17 are root/workspace duplicates.

Solution

  1. Add group-by: dependency-name to both groups (production-dependencies + development-dependencies) in .github/dependabot.yml — collapses PRs on the next weekly run
  2. Enable auto-merge — Settings → General → "Allow auto-merge" + create .github/workflows/dependabot-auto-merge.yml to auto-merge minor/patch Dependabot PRs after CI passes (excluding majors)
  3. Clean up the current stack — merge workspace PRs first, then close the duplicate root PRs

Acceptance Criteria

  • group-by: dependency-name added → next Dependabot run generates ≤ 10 PRs (one per dep)
  • 20 open Dependabot PRs merged or closed
  • Auto-merge workflow active and functional
  • versioning-strategy for the published lib (packages/type-testing/) evaluated separately

Related

Risks

  • Low. group-by is a one-line addition; the rest is manual cleanup.
  • The auto-merge workflow requires "Allow auto-merge" enabled on the repo + branch protection on main (verify this is already in place).

Metadata

Metadata

Assignees

Labels

area:ciWorkflows, dependabot, toolingdependenciesDependency updates (used by Dependabot)status:readyTriaged and accepted - ready to be picked up

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions