build(deps): group pulumi core modules for dependabot version updates#150
Merged
Merged
Conversation
The pulumi core modules are released in lockstep: sdk/v3 and pkg/v3 share an internal API (plugin.NewContextWithRoot et al.), and pulumi-go-provider tracks pulumi/pkg/v3's codegen/schema types. Bumping any one of them alone produces an unbuildable tree — which is exactly how the standalone sdk/v3 3.247.0 bump (#145) broke CI. Group their routine version updates into a single PR so dependabot proposes a buildable set. applies-to defaults to version-updates, so security advisories on any of these are still raised as separate, immediate PRs. Claude-Session: https://claude.ai/code/session_017Kyd98NzojozMZ19d5UCZ2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The pulumi core modules are released in lockstep and must move together:
pulumi/sdk/v3andpulumi/pkg/v3share an internal API —pkg'sworkspace/plugin.gocallsplugin.NewContextWithRoot/Host.LanguageRuntime, whose signatures are defined insdk.pulumi-go-providertrackspulumi/pkg/v3'scodegen/schematypes (e.g.ResourceSpec).Bumping any one of them alone produces an unbuildable tree. That's exactly how the standalone
sdk/v33.246.0 → 3.247.0 bump in #145 broke CI: dependabot raisedsdkon its own, leavingpkgbehind (signature mismatch), and even the matchingpkg3.247.0 then breakspulumi-go-provider@v1.3.2(no compatible release exists yet).What
Add a dependabot
groupsentry that bundles the routine version updates of the three coupled modules into a single PR, so dependabot proposes a buildable set rather than an unbuildable partial bump.applies-to: version-updates(the default) is set explicitly: security advisories on any of these are unaffected by the group and are still raised as separate, immediate PRs. Note this does not solve the case where a CVE security-update bumps only one lockstep module — that remains a manual companion-bump moment, inherent to the coupling and not something a config can fully prevent.Plugin SDKs (
pulumi-hcloud,pulumi-cloudflare) are intentionally left out of the group — they version independently of pulumi core.Merge Commit Message
build(deps): group pulumi core modules for dependabot version updates
https://claude.ai/code/session_017Kyd98NzojozMZ19d5UCZ2