From d57b3b282785511cc5413a33f4cd2a0ab1dcadda Mon Sep 17 00:00:00 2001 From: Pedro Gomes Date: Sun, 28 Jun 2026 07:48:33 +0100 Subject: [PATCH] build(deps): group pulumi core modules for dependabot version updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pulumi core modules are released in lockstep: sdk/v3 and pkg/v3 share an internal API (plugin.NewContextWithRoot et al.), and pulumi-go-provider tracks pulumi/pkg/v3's codegen/schema types. Bumping any one of them alone produces an unbuildable tree — which is exactly how the standalone sdk/v3 3.247.0 bump (#145) broke CI. Group their routine version updates into a single PR so dependabot proposes a buildable set. applies-to defaults to version-updates, so security advisories on any of these are still raised as separate, immediate PRs. Claude-Session: https://claude.ai/code/session_017Kyd98NzojozMZ19d5UCZ2 --- .github/dependabot.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ff0cd98..dd9eec8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,6 +10,19 @@ updates: cooldown: default-days: 5 open-pull-requests-limit: 10 + groups: + # The pulumi core modules are released in lockstep and must move + # together: sdk/v3 and pkg/v3 share an internal API (plugin.NewContextWithRoot + # et al.), and pulumi-go-provider tracks pulumi/pkg/v3's codegen/schema types. + # Bumping any one alone produces an unbuildable tree, so group their routine + # bumps into a single PR. applies-to defaults to version-updates, so security + # advisories on any of these are still raised as separate, immediate PRs. + pulumi: + applies-to: version-updates + patterns: + - "github.com/pulumi/pulumi" + - "github.com/pulumi/pulumi/*" + - "github.com/pulumi/pulumi-go-provider" # GitHub Actions used in our workflows. - package-ecosystem: github-actions