Skip to content

Group Dependabot PRs and remove merge-dependabot #3990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ppkarwasz wants to merge 1 commit into
base: 2.x
Choose a base branch
from
Open

Group Dependabot PRs and remove merge-dependabot #3990

ppkarwasz wants to merge 1 commit into from
+34 −109

Conversation

@ppkarwasz
Copy link
Contributor

@ppkarwasz ppkarwasz commented Nov 28, 2025

This change adds grouping to all dependabot configurations to limit the number of open PRs to one.

It also removes the merge-dependabot workflow, which is no longer useful in case of grouped upgrades.

@ppkarwasz
Group Dependabot PRs and remove merge-dependabot
5dce00f 
This change adds grouping to all dependabot configurations to limit the
number of open PRs to one.

It also removes the `merge-dependabot` workflow, which is no longer
useful in case of grouped upgrades.
vy
vy requested changes Dec 1, 2025
View reviewed changes
Copy link
Member

@vy vy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This effectively means dependency updates will not contain a changelog entry anymore. I'm reluctant to accept this.

I thought we agreed to "disable dependabot" (i.e., delete dependabot.yaml) and restore it once the CI workflow is fixed. Have I misunderstood you?

@ppkarwasz
Copy link
Contributor Author

ppkarwasz commented Dec 3, 2025
edited by vy
Loading

I prefer to keep Dependabot alive as a reminder. Having a partial Dependabot PR is better than having no PR at all.

I'm not very keen on this idea, since it will take a single click for a maintainer to approve such a PR, and effectively lose the trail of updates, which are necessary to generate changelog entry files.

Until we solve the blocker for Dependabot automation, we can always complete those PRs ourselves or I can share a short Python script to generate the entries.

Can you put that in a Groovy script that gets executed in a dedicated logging-parent profile, that is, ./mvnw -P generate-dependabot-changelog apache/logging-log4j2 12345?

@ppkarwasz ppkarwasz requested a review from vy December 5, 2025 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vy vy Awaiting requested review from vy

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ppkarwasz @vy