You can use the dependabot.yml file to create separate rules to group Dependabot version updates and Dependabot security updates.
---
version: 2
# https://json.schemastore.org/dependabot-2.0.json
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: monthly
target-branch: main
reviewers:
- jonlabelle
commit-message:
prefix: "chore(deps): "
groups:
actions-minor:
update-types:
- minor
- patch
labels:
- github-actions
- dependencies
- dependabot
- package-ecosystem: nuget
directory: /
schedule:
interval: monthly
target-branch: main
reviewers:
- jonlabelle
commit-message:
prefix: "chore(deps): "
groups:
nuget-minor:
update-types:
- minor
- patch
labels:
- nuget
- dependencies
- dependabot
- package-ecosystem: npm
directory: /
schedule:
interval: monthly
target-branch: main
reviewers:
- jonlabelle
commit-message:
prefix: "chore(deps): "
allow:
- dependency-type: direct
# - dependency-type: production # check only dependencies, which are going to the compiled app, not supporting tools like @vue-cli
groups:
npm-development:
dependency-type: development
update-types:
- minor
- patch
npm-production:
dependency-type: production
update-types:
- patch
labels:
- npm
- dependencies
- dependabot
- package-ecosystem: docker
directory: /
schedule:
interval: monthly
reviewers:
- jonlabelle
commit-message:
prefix: "chore(deps): "
target-branch: main
groups:
docker-minor:
update-types:
- minor
- patch
labels:
- docker
- dependencies
- dependabot