Skip to content

ci: group sdk updates #4651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
andresmr wants to merge 1 commit into
base: main
Choose a base branch
from
+17 −5
Open

ci: group sdk updates #4651

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 17 additions & 5 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,34 @@ updates:
commit-message:
prefix: "deps"
ignore:
# Allow security updates for all dependencies
- dependency-name: "*"
update-types: ["version-update:semver-major", "version-update:semver-minor"]
# But allow security updates even for major/minor
except:
- update-types: ["version-update:semver:security"]
Comment on lines +18 to +23
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ignore entry adds an except: block, but except is not a valid key in Dependabot’s ignore configuration. Additionally, version-update:semver:security is not a valid update-types value. This will likely cause Dependabot to reject the config. If the goal is to ensure security updates still open, note that Dependabot security updates are handled separately and generally aren’t affected by ignore; remove except and keep only supported update-types entries (or restructure using a separate update config).

Suggested change
# Allow security updates for all dependencies
- dependency-name: "*"
update-types: ["version-update:semver-major", "version-update:semver-minor"]
# But allow security updates even for major/minor
except:
- update-types: ["version-update:semver:security"]
# Ignore non-security major/minor updates for all dependencies.
# Dependabot security updates are handled separately and will still be opened.
- dependency-name: "*"
update-types: ["version-update:semver-major", "version-update:semver-minor"]

Copilot uses AI. Check for mistakes.

# Specific dependencies to exclude from automatic updates
# (These are managed manually due to breaking changes)
- dependency-name: "com.squareup.okhttp3:*"
- dependency-name: "org.hisp.dhis.mobile:designsystem"
- dependency-name: "org.hisp.dhis:android-core"
- dependency-name: "org.hisp.dhis.rules:rule-engine-jvm"
- dependency-name: "org.hisp.dhis.lib.expression:expression-parser-jvm"

# Group DHIS2 core updates together
groups:
gradle-updates:
dhis2-android-core:
patterns:
- "*" # Group all Gradle updates into one PR
- "org.hisp.dhis:android-core"
update-types:
- "patch" # Only include patch updates (no major or minor versions)
- "patch"
- "minor"
- "major"
Comment on lines 33 to +40
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The global ignore rule for dependency-name: "*" ignoring semver-major/minor will also apply to org.hisp.dhis:android-core, so the dhis2-android-core group’s minor/major update-types won’t ever be proposed. If you want to allow minor/major updates only for android-core while keeping the rest patch-only, consider adding a second updates: entry for Gradle that allows just org.hisp.dhis:android-core (with its group settings), and keep the global ignore in the other entry.

Copilot uses AI. Check for mistakes.

# GitHub Actions updates (optional)
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
target-branch: "develop"
open-pull-requests-limit: 5
open-pull-requests-limit: 5