Skip to content

chore: suppress Dependabot minor/patch version bump PRs for Cargo deps #349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sandersaares wants to merge 2 commits into
base: main
Choose a base branch
from
Open

chore: suppress Dependabot minor/patch version bump PRs for Cargo deps #349

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4bd05c7
chore: suppress Dependabot minor/patch version bump PRs for Cargo deps
sandersaares Mar 31, 2026
ce97976
Merge branch 'main' into chore/dependabot-ignore-minor-bumps
sandersaares Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,20 @@ updates:
commit-message:
prefix: "chore: "
ignore:
# ignore minor updates for tokio as they are semver compatible
- dependency-name: "tokio"
versions: ["1.x"]
# ignore patch updates for all dependencies
# Ignore all minor and patch updates — security updates are handled separately
# by Dependabot security alerts and are not affected by these ignore rules.
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment mentions "Dependabot security alerts" being unaffected by ignore rules; alerts and security update PRs are different features. Consider rewording to "Dependabot security updates (if enabled)" to avoid implying that alerts alone will produce PRs.

Suggested change
# by Dependabot security alerts and are not affected by these ignore rules.
# by Dependabot security updates (if enabled) and are not affected by these ignore rules.

Copilot uses AI. Check for mistakes.
#
# Ideally we would use versioning-strategy: increase-if-necessary to allow
# minor bumps that only touch Cargo.lock (respecting Cargo's 0.x semver
# conventions). However, Cargo only supports "auto" and "lockfile-only" —
# see https://github.com/dependabot/dependabot-core/issues/4009
# If that issue is resolved, replace these ignore rules with:
# versioning-strategy: increase-if-necessary
# ignore patch updates only
- dependency-name: "*"
update-types: ["version-update:semver-patch"]
update-types:
- "version-update:semver-minor"
- "version-update:semver-patch"

- package-ecosystem: "github-actions"
directory: "/"
Expand Down
4 changes: 4 additions & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

Code in this repository should follow the guidelines specified in the [Microsoft Rust Guidelines](https://microsoft.github.io/rust-guidelines/agents/all.txt).

## Branching

Never commit directly to `main`. Always create a feature branch, push it, and open a pull request.

## README Files

Crate README files are auto-generated via `just readme`. Do not manually update them.
Expand Down
Loading