From 0f3aec1ec6fdf041da42fffac642d1ca80ec8171 Mon Sep 17 00:00:00 2001 From: RBKunnela Date: Sat, 23 May 2026 11:54:46 +0300 Subject: [PATCH] ci(security): add Dependabot groups block to batch Mon alert wave MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Why: Mon 2026-05-25 06:00 UTC Dependabot wave projected to ~50 individual PRs across the 3 paybot repos. Solo-founder bandwidth cannot absorb. Groups batch into ~12-15 PRs total. What: npm ecosystem: 5 groups - npm-patch-prod / npm-minor-prod (version-updates, prod, split by risk) - npm-dev-deps (version-updates, dev, batched freely) - npm-security-patch / npm-security-minor (security-updates, split by severity) uv ecosystem (packages/python): 4 groups - uv-patch / uv-minor (version-updates) - uv-security-patch / uv-security-minor (uv lacks the dependency-type axis npm has, so groups split by update-type alone; severity split preserved for security updates.) Precedent: scanner-bundle PRs paybot-core #3 (6dc6f5aa), paybot-sdk #11 (2513676d), paybot-mcp #1 (a6c211db) — same gate model. Authority: full SINKRA chain per .claude/rules/automated-pr-merge-authority.md. @qa lightweight (CI green + YAML validity + schema correct) then @devops merge. DO NOT MERGE before @qa PASS. Deadline: must merge before Mon 2026-05-25 06:00 UTC. --- .github/dependabot.yml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1abf5ae..5e801a9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -29,6 +29,29 @@ updates: labels: - "dependencies" - "npm" + # Groups: batch alert waves so a solo operator can absorb them. + # Without grouping, a typical Monday wave is ~15-20 individual PRs per repo; + # grouped it's 3-5. Production patch/minor split keeps risk-tiers separate. + # Dev deps batched freely (no runtime exposure). Security updates split by + # severity so a critical CVE never gets bundled with a minor upgrade. + groups: + npm-patch-prod: + applies-to: version-updates + update-types: ["patch"] + dependency-type: "production" + npm-minor-prod: + applies-to: version-updates + update-types: ["minor"] + dependency-type: "production" + npm-dev-deps: + applies-to: version-updates + dependency-type: "development" + npm-security-patch: + applies-to: security-updates + update-types: ["patch"] + npm-security-minor: + applies-to: security-updates + update-types: ["minor"] # ---------- GitHub Actions ecosystem ---------- - package-ecosystem: "github-actions" @@ -69,3 +92,21 @@ updates: labels: - "dependencies" - "python" + # Groups: parallel batching to the npm block above. uv does not expose + # the `dependency-type: production|development` axis the same way npm + # does (uv uses dependency-groups in pyproject.toml), so groups are + # split by update-types alone. Security updates split by severity to + # keep critical CVEs unbundled. + groups: + uv-patch: + applies-to: version-updates + update-types: ["patch"] + uv-minor: + applies-to: version-updates + update-types: ["minor"] + uv-security-patch: + applies-to: security-updates + update-types: ["patch"] + uv-security-minor: + applies-to: security-updates + update-types: ["minor"]