From 8020fabc134c83626c1ab6a6bbab3a2bbf4c0a96 Mon Sep 17 00:00:00 2001 From: Ruben Romero Montes Date: Tue, 14 Apr 2026 21:56:36 +0200 Subject: [PATCH] ci: suppress dependabot updates for test fixture manifests The exclude-paths option only applies to version updates, not security updates (per GitHub docs). This caused 26+ noisy PRs from dependabot trying to bump intentionally-pinned vulnerable deps in test fixtures. Replace the broad directory: "/" entries for non-JS ecosystems with targeted directories pointing to the actual test fixture paths, paired with ignore: [{dependency-name: "*"}] to suppress both version and security update PRs. For npm, add a separate entry targeting test fixture JS directories with the same ignore rule, keeping the production root entry intact. Also adds test/providers/provider_manifests/** to the production npm exclude-paths and adds missing uv/gradle/cargo ecosystem entries. Co-Authored-By: Claude Opus 4.6 --- .github/dependabot.yml | 77 +++++++++++++++++++++++++++++++++++------- 1 file changed, 65 insertions(+), 12 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1245ecb7..2592f2bc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,12 +1,14 @@ # yaml-language-server: $schema=https://www.schemastore.org/dependabot-2.0.json version: 2 updates: + # ── Production dependencies ────────────────────────────────────────── - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" exclude-paths: - "test/providers/tst_manifests/**" + - "test/providers/provider_manifests/**" groups: npm-dependencies: patterns: @@ -27,21 +29,72 @@ updates: github-actions: patterns: - "*" + + # ── Test fixture manifests (suppress all updates including security) ─ + # These directories contain intentionally pinned dependencies used as + # test fixtures. They must NOT be updated by dependabot. + - package-ecosystem: "npm" + directories: + - "/test/providers/tst_manifests/npm/**" + - "/test/providers/tst_manifests/pnpm/**" + - "/test/providers/tst_manifests/yarn-berry/**" + - "/test/providers/tst_manifests/yarn-classic/**" + - "/test/providers/tst_manifests/js-common/**" + - "/test/providers/provider_manifests/npm/**" + - "/test/providers/provider_manifests/pnpm/**" + - "/test/providers/provider_manifests/yarn-berry/**" + - "/test/providers/provider_manifests/yarn-classic/**" + schedule: + interval: "monthly" + labels: [] + ignore: + - dependency-name: "*" - package-ecosystem: "pip" - directory: "/" + directories: + - "/test/providers/tst_manifests/pip/**" schedule: - interval: "weekly" - exclude-paths: - - "test/providers/tst_manifests/**" + interval: "monthly" + labels: [] + ignore: + - dependency-name: "*" + - package-ecosystem: "uv" + directories: + - "/test/providers/tst_manifests/pyproject/**" + schedule: + interval: "monthly" + labels: [] + ignore: + - dependency-name: "*" - package-ecosystem: "maven" - directory: "/" + directories: + - "/test/providers/tst_manifests/maven/**" schedule: - interval: "weekly" - exclude-paths: - - "test/providers/tst_manifests/**" + interval: "monthly" + labels: [] + ignore: + - dependency-name: "*" + - package-ecosystem: "gradle" + directories: + - "/test/providers/tst_manifests/gradle/**" + schedule: + interval: "monthly" + labels: [] + ignore: + - dependency-name: "*" + - package-ecosystem: "cargo" + directories: + - "/test/providers/tst_manifests/cargo/**" + - "/test/providers/provider_manifests/cargo/**" + schedule: + interval: "monthly" + labels: [] + ignore: + - dependency-name: "*" - package-ecosystem: "gomod" - directory: "/" + directories: + - "/test/providers/tst_manifests/golang/**" schedule: - interval: "weekly" - exclude-paths: - - "test/providers/tst_manifests/**" + interval: "monthly" + labels: [] + ignore: + - dependency-name: "*"