ci(dependabot): bundle all routine updates into one PR per ecosystem

TalZaccai · Copilot · TalZaccai · commit f705855c8a25 · 2026-06-01T22:00:47.000-07:00
Previous revision of this branch set open-pull-requests-limit: 0 to
disable all routine version-update PRs. Per follow-up review we want a
single weekly grouped PR per ecosystem covering majors + minors + patches
instead -- easier to review at a glance than many small PRs.

- Drop open-pull-requests-limit: 0 (let routine PRs flow again)
- Add npm-all / pip-all / devcontainers-all / github-actions-all groups
  matching every package and every update-type (major, minor, patch) --
  collapses everything into one PR per ecosystem per weekly run.
- Keep the security-updates groups as separate PRs so security work
  isn't buried in routine churn.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,64 +1,74 @@
-# Dependabot configuration for microsoft/TypeChat.
-#
-# Security-only mode: we want Dependabot alerts (security updates) to flow,
-# but NOT routine weekly version-update PRs. Setting
-# open-pull-requests-limit: 0 on each ecosystem block disables version
-# updates while keeping the ecosystem registered so security-update PRs
-# can still be opened automatically when an alert fires.
-#
-# Routine non-security upgrades are handled out-of-band (manually or by
-# a separate workflow); this file's role is to keep the security pipe
-# unblocked without flooding the repo with churn.
-#
-# Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  # npm — typescript library + examples + docs site.
-  - package-ecosystem: "npm"
-    directories:
-      - "/typescript"
-      - "/typescript/examples/*"
-      - "/site"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 0
-    labels:
-      - "dependencies"
-    groups:
-      npm-security:
-        applies-to: security-updates
-        patterns: ["*"]
-        update-types: ["minor", "patch"]
-
-  - package-ecosystem: "pip"
-    directory: "/python"
-    schedule:
-      interval: "weekly"
-      day: "monday"
-    open-pull-requests-limit: 0
-    labels:
-      - "dependencies"
-    groups:
-      pip-security:
-        applies-to: security-updates
-        patterns: ["*"]
-        update-types: ["minor", "patch"]
-
-  - package-ecosystem: "devcontainers"
-    directory: "/"
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 0
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: weekly
-    open-pull-requests-limit: 0
-    groups:
-      github-actions-security:
-        applies-to: security-updates
-        patterns: ["*"]
-        update-types: ["minor", "patch"]
+# Dependabot configuration for microsoft/TypeChat.
+#
+# Single-PR-per-ecosystem mode: every routine version bump (major, minor,
+# patch) is bundled into ONE grouped PR per ecosystem per weekly run.
+# Security updates ship as their own grouped PR so they aren't buried
+# under routine churn.
+#
+# Tradeoff: one large PR is easier to review at a glance than many small
+# ones, but if it fails CI the cause is harder to bisect because the
+# compounded breaking changes (e.g. dotenv 16->17 + sqlite3 5->6) all
+# land at once. If a routine PR keeps failing, drop the offending
+# package(s) from the PR's commit list and let it land without them.
+#
+# Docs: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # npm — typescript library + examples + docs site.
+  - package-ecosystem: "npm"
+    directories:
+      - "/typescript"
+      - "/typescript/examples/*"
+      - "/site"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+    groups:
+      npm-all:
+        patterns: ["*"]
+        update-types: ["major", "minor", "patch"]
+      npm-security:
+        applies-to: security-updates
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  - package-ecosystem: "pip"
+    directory: "/python"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+    groups:
+      pip-all:
+        patterns: ["*"]
+        update-types: ["major", "minor", "patch"]
+      pip-security:
+        applies-to: security-updates
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: weekly
+    groups:
+      devcontainers-all:
+        patterns: ["*"]
+        update-types: ["major", "minor", "patch"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: weekly
+    groups:
+      github-actions-all:
+        patterns: ["*"]
+        update-types: ["major", "minor", "patch"]
+      github-actions-security:
+        applies-to: security-updates
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
