Dependabot-core: Ability to combine PR's via a dependabot comment

cc @infin8x I believe you're thinking about this problem

Currently I can have 10 PR's all related to say a new version of Babel.
They all pass individually.
I would like to be able to bundle these up into one Uber PR to avoid the need to continuously rebase (which will save significant build time).

Indeed, thanks @jurre and @chriseyre2000 - we're in the early stages of thinking about how grouped updates (#1190) might work.

@infin8x, I actually made an issue here outlining a potential spec.

https://github.com/dependabot/dependabot-core/issues/2672

However, I do like @chriseyre2000's suggestion to just reply directly via a GH comment.
I've updated it with the following interface suggestions.

Great, thanks @ChrisCates!

@infin8x, great, well, it's a first draft and needs to be revised.

Once, we have a full spec outlined. Happy to send in a PR.
The changes are pretty substantial to the core codebase, so thought It'd be more appropriate to start off with a spec.

Note that as a product maintainer, I don't want to be able to combine existing dependabot PRs (since I don't want to pay for a dozen of CI cycles when babel releases an update) and I don't want dependabot to push all the updates into a single PR (since I'm too cautious to merge aws-sdk changes together with react bumps). What I do need is the ability to configure dependabot to bump all babel plugins or react+react-dom together in a single PR.

@ChrisCates great to hear! I think the team should have some time to look into the spec and implementation in more detail in a few weeks.

@khitrenovich yep, makes sense, and is something we'd like to enable.

I was just wondering if there was any special feature to run a suggested report including suggested updates, integrations, ... Possibly with any areas one's contributions could be more successful or maybe not. I personally love an easy checklist style guide and am not so code savvy. This may not even be relevant as it may not help a lot of people.

@J-Vin

special feature to run a suggested report including suggested updates, integrations

It's a great idea. However, that's a completely different feature.
Would be great to add in as a Github App Integration.

@khitrenovich, that seems pretty important and I think the best approach would be a dependabot.yml file.

I've just added that to the spec.
Thanks for the feedback.

@khitrenovich, I was actually thinking about it more... The dependabot.yml file makes most sense. I'd just need to have it dropped in each repo and is probably actually faster than a comment.

i just completely changed the spec on https://github.com/dependabot/dependabot-core/issues/2672 to reflect what using a dependabot.yml file would look like.

@khitrenovich, I was actually thinking about it more... The dependabot.yml file makes most sense. I'd just need to have it dropped in each repo and is probably actually faster than a comment.

Yup, and in many cases it's already there - I think it's a must if you want to use dependabot on non-public repos.

@khitrenovich, there should be a button to autogenerate this file on Github Repos:

prs:
  group:
     - *
 automerged_updates:
      - match:
         dependency_type: "all"

I'd imagine many would press it.

I have been using Dependabot for 2 years on private repos without a
dependabot.yml so this is not true. The primary reason is that I can use
the UI to disable Dependabot across a range of PRs should I need to (it's
painful to make the same edit across 10 branches).

Please note that linked updates can be released with a different cadence.
React-dom sometimes arrives a day after react

On Monday, 26 October 2020, Anton Khitrenovich notifications@github.com
wrote:

@khitrenovich https://github.com/khitrenovich, I was actually thinking
about it more... The dependabot.yml file makes most sense. I'd just need
to have it dropped in each repo and is probably actually faster than a
comment.

Yup, and in many cases it's already there - I think it's a must if you
want to use dependabot on non-public repos.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/dependabot/dependabot-core/issues/2652#issuecomment-716884475,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAIMRX2WORTCMPXSKQK22UTSMYCJJANCNFSM4STDV56Q
.

@infin8x, great, well, it's a first draft and needs to be revised.

Once, we have a full spec outlined. Happy to send in a PR.
The changes are pretty substantial to the core codebase, so thought It'd be more appropriate to start off with a spec.

Appreciate your offer to help on this, just want to note that a decent portion of the work needed to land this will be in the services we use at GitHub to run dependabot-core, which are not open source.

I have been using Dependabot for 2 years on private repos without a dependabot.yml so this is not true. The primary reason is that I can use the UI to disable Dependabot across a range of PRs should I need to (it's painful to make the same edit across 10 branches). Please note that linked updates can be released with a different cadence. React-dom sometimes arrives a day after react
…
On Monday, 26 October 2020, Anton Khitrenovich @.*> wrote: @khitrenovich https://github.com/khitrenovich, I was actually thinking about it more... The dependabot.yml file makes most sense. I'd just need to have it dropped in each repo and is probably actually faster than a comment. Yup, and in many cases it's already there - I think it's a must if you want to use dependabot on non-public repos. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2652 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIMRX2WORTCMPXSKQK22UTSMYCJJANCNFSM4STDV56Q .

You may have been using dependabot.com/dependabot-preview, the legacy product before it became part of GitHub natively.

In the native version of GitHub, if you want _scheduled_ updates you need a config file. You will get PRs for security advisories without a config file though.

@jurre, I noticed that. Reached out because the issue has been sitting around for a while and a lot of people (myself included), would like the change.