Skip to content

Infra: Create more targeted groups for gradle and group all the action upgrades #1542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yeikel wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Infra: Create more targeted groups for gradle and group all the action upgrades #1542

yeikel wants to merge 2 commits into from

Conversation

@yeikel
Copy link
Collaborator

@yeikel yeikel commented Nov 29, 2025
edited
Loading

What changes did you make?

Updated the Dependabot configuration to define more targeted groups.

The intent is to increase the number of Dependabot pull requests that successfully merge into main, as the current grouping is too ambitious and frequently breaks the build (see #1520) causing us to simply ignore the updates and not get the main benefit of Dependabot

The action group was created because it’s generally safer to bundle these updates together. Depending on how things progress, we may need to apply a similar adjustment to it as well.

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • Manually (please, describe, if necessary)

I tested the groups in my fork: https://github.com/yeikel/kafka-ui/pulls

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

A picture of a cute animal (not mandatory but encouraged)

dd5b01f0219c5d6afa30f954852f2e00

@yeikel yeikel requested a review from a team as a code owner November 29, 2025 20:31
@kapybro kapybro bot added status/triage Issues pending maintainers triage scope/infra CI, CD, dev. env, etc. status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Nov 29, 2025
@yeikel
Copy link
Collaborator Author

yeikel commented Dec 2, 2025

@Haarolean Could you check this out?

Haarolean
Haarolean requested changes Dec 8, 2025
View reviewed changes
.github/dependabot.yml
# In general, our Netty references are temporary overrides, usually applied to address transitive Spring vulnerabilities, and should be configured with caution
# In general, having conflicting Netty versions in the classpath is not recommended
- dependency-name: "io.netty:*"
# We will handle major upgrades manually
Copy link
Member

@Haarolean Haarolean Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't mind having PRs for these if they don't hog up the total amount of open PRs. Otherwise nobody will ever check if there's a new spring boot out

Copy link
Collaborator Author

@yeikel yeikel Dec 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The challenge with Dependabot is that you can enable either major or minor upgrades, but not both at the same time. If we enable major upgrades, only those will appear, and the smaller, more manageable minor upgrades will no longer be shown.

In the case of Spring Boot, we will see Spring Boot 4.x immediately but no minor versions like 3.5.8. So while we wait to allocate capacity for the 4.x bump, we will need to manage minor versions manually

.github/dependabot.yml
exclude-patterns:
- "org.springframework.boot:*"
- "io.spring.dependency-management"
- "io.modelcontextprotocol.sdk:mcp-spring-webflux"
Copy link
Member

@Haarolean Haarolean Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this suddently a spring boot dependency?

Copy link
Collaborator Author

@yeikel yeikel Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not, but I deducted from the name that it is probably a good idea to test these together as mcp-spring-webflux depends on Spring Webflux

Copy link
Collaborator Author

@yeikel yeikel Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think it should be separate?

.github/dependabot.yml Outdated
- "org.testcontainers:*"
- "org.junit.jupiter:*"
- "org.assertj:*"
- "com.gorylenko.gradle-git-properties"
Copy link
Member

@Haarolean Haarolean Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"com.gorylenko.gradle-git-properties" that package is for adding git meta info into the build, not testing

Copy link
Collaborator Author

@yeikel yeikel Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I fixed this with a334ab7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Haarolean Haarolean Haarolean requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

scope/infra CI, CD, dev. env, etc. status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yeikel @Haarolean