Skip to content

chore: remove Dependabot in favor of the weekly batch dependency update [RED-695] [ship]#1395

Merged
sorccu merged 1 commit into
mainfrom
simo/red-695-remove-dependabot
Jul 9, 2026
Merged

chore: remove Dependabot in favor of the weekly batch dependency update [RED-695] [ship]#1395
sorccu merged 1 commit into
mainfrom
simo/red-695-remove-dependabot

Conversation

@sorccu

@sorccu sorccu commented Jul 9, 2026

Copy link
Copy Markdown
Member

Linear: RED-695

Dependabot opened up to 3 npm version-update PRs daily, duplicating the weekly batched dependency update that is Node-floor aware and respects the minimumReleaseAge embargo in pnpm-workspace.yaml. Its output was already being discarded — the five most recent Dependabot PRs (#1375, #1376, #1379, #1380, #1381) were closed rather than merged.

This deletes .github/dependabot.yml, leaving the weekly batch as the single dependency-update path.

Why .github/release.yml changes too

Dependabot applied a dependencies label, and .github/release.yml mapped that label to a dedicated Improvements section in GitHub's auto-generated release notes. Dependabot's version updates were that label's only producer, so the category is removed along with the dependencies exclusion under Other Changes.

Generated release notes are unaffected in practice: the weekly batch PRs are unlabeled and already fall into Other Changes.

Scope

Dependabot has no other footprint — no workflow gates on dependabot[bot], no dependabot/** branch filters, no secrets.DEPENDABOT_*, no auto-merge workflow, and no docs referencing it. No Dependabot PRs are currently open, so none are orphaned. GitHub stops scheduling version updates once the config is absent from the default branch, i.e. on merge.

Out of scope

Dependabot security alerts and security updates are a repository setting rather than a function of this config, and intentionally remain enabled so security patches keep flowing outside the weekly cadence. Note that Dependabot labels every PR it opens dependencies, security-update PRs included — should one be merged, it now groups under Other Changes instead of the removed Improvements section. That grouping change is cosmetic.

…[RED-695]

Dependabot opened up to 3 npm version-update PRs daily, duplicating the weekly
batched dependency update that is Node-floor aware and respects the
minimumReleaseAge embargo in pnpm-workspace.yaml. Its output was already being
discarded: the five most recent Dependabot PRs were closed rather than merged.

Dependabot's version updates were the only remaining producer of the
`dependencies` label, so the `Improvements` category that mapped it in
.github/release.yml is removed too, along with the `dependencies` exclusion
under `Other Changes`. Weekly batch PRs are unlabeled and already fall into
`Other Changes`, so generated release notes are unaffected in practice.

Dependabot security alerts and security updates are a repository setting rather
than a function of this config and remain enabled. Should a security-update PR
be opened and merged, it carries the `dependencies` label and is now grouped
under `Other Changes`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sorccu sorccu changed the title [RED-695] chore: remove Dependabot in favor of the weekly batch dependency update chore: remove Dependabot in favor of the weekly batch dependency update [RED-695] Jul 9, 2026
@sorccu sorccu changed the title chore: remove Dependabot in favor of the weekly batch dependency update [RED-695] chore: remove Dependabot in favor of the weekly batch dependency update [RED-695] [ship] Jul 9, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved: ship/show PR from a same-repo branch.

@sorccu sorccu merged commit aa21de8 into main Jul 9, 2026
16 checks passed
@sorccu sorccu deleted the simo/red-695-remove-dependabot branch July 9, 2026 13:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant