Hi all, As many of you have probably noticed, Dependabot PR churn currently accounts for the majority of notifications from the Commons repositories. We can significantly reduce this noise by taking a few steps:
- Centralize workflows in `commons-parent` (or a new `commons-actions` repository) so that GitHub Actions updates happen only once. - Avoid overriding Maven plugin versions unless there’s a strong reason to do so. - Use grouped Dependabot updates to upgrade multiple dependencies in a single PR. - Adjust Dependabot’s update schedule to match repository activity (e.g., `monthly`, `quarterly`, or `yearly`). Manual runs can still be triggered anytime under Insights -> Dependency Graph -> Dependabot, especially before a release. - Move shared dependency management (such as test dependencies) into `commons-parent`, where appropriate. Reducing unnecessary Dependabot churn will help us focus on changes that truly matter. Note that Dependabot will still automatically create PRs for security vulnerabilities in direct dependencies, regardless of other settings. What do you think? Best, Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
