ci: group major dependabot bumps per ecosystem

[Aureliolo]

Summary

• Add major update-type group to all 8 Dependabot ecosystem configs (uv, github-actions, pre-commit, npm x2, docker x3)
• Interdependent major bumps (e.g. echarts 6 + vue-echarts 8) now land in a single PR instead of separate conflicting ones
• Add missing minor-and-patch grouping to the 3 Docker configs for consistency

Motivation: PRs #380 (echarts 5→6) and #384 (vue-echarts 7→8) are interdependent but arrived as separate PRs, both with broken CI due to peer dependency conflicts. Grouping majors prevents this.

Test plan

• YAML validated by pre-commit check-yaml hook
• Wait for next Dependabot run to confirm grouped PRs appear correctly
• Existing open individual major PRs will need to be closed manually (Dependabot will recreate them grouped)

🤖 Generated with Claude Code

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the project's dependency management by configuring Dependabot to group major version updates for all ecosystems. This change addresses issues where interdependent major bumps would generate separate, conflicting pull requests, leading to broken CI. By consolidating these updates, the process for managing significant dependency upgrades will be streamlined and more robust. Additionally, it standardizes the "minor-and-patch" grouping across all Docker configurations.

Highlights

• Dependabot Configuration: Added a "major" update-type group to all eight Dependabot ecosystem configurations (uv, github-actions, pre-commit, npm x2, docker x3).
• Dependency Grouping: Ensured interdependent major dependency bumps are now grouped into a single pull request, preventing separate, conflicting PRs.
• Configuration Consistency: Included the "minor-and-patch" grouping for consistency in the three Docker configurations where it was previously missing.

Changelog

• .github/dependabot.yml
  • Added a "major" update-type group to all eight Dependabot configurations.
  • Ensured the "minor-and-patch" update-type group is explicitly defined for the three Docker configurations for consistency.

Activity

• The author, Aureliolo, has validated the YAML configuration using a pre-commit "check-yaml" hook.
• The pull request is awaiting the next Dependabot run to confirm the correct grouping of PRs.
• Existing individual major PRs will need to be manually closed, as Dependabot will recreate them in grouped form.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c8d0c8ec-af4f-4927-8e4b-6699a039b39c

📥 Commits

Reviewing files that changed from the base of the PR and between 2db968a and ae3d8ba.

📒 Files selected for processing (1)

• .github/dependabot.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Test (Python 3.14)
• GitHub Check: Analyze (python)

🧰 Additional context used

📓 Path-based instructions (1)

.github/dependabot.yml

📄 CodeRabbit inference engine (CLAUDE.md)

Dependabot auto-updates Docker image digests and versions daily

Files:

• .github/dependabot.yml

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T11:20:53.699Z
Learning: Applies to .github/dependabot.yml : Dependabot auto-updates Docker image digests and versions daily

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T11:20:53.699Z
Learning: Applies to .github/workflows/dependency-review.yml : Dependency review: license allow-list (permissive only), PR comment summaries

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T11:20:53.699Z
Learning: Applies to .github/workflows/ci.yml : CI jobs run in parallel: lint (ruff) + type-check (mypy) + test (pytest + coverage) + python-audit (pip-audit) + dockerfile-lint (hadolint) + dashboard-lint/type-check/test/build/audit (npm) → ci-pass gate

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T11:20:53.699Z
Learning: Applies to .pre-commit-config.yaml : Pre-commit autoupdate disabled (autoupdate_schedule: never) — Dependabot owns hook version bumps via pre-commit ecosystem

📚 Learning: 2026-03-14T11:20:53.699Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T11:20:53.699Z
Learning: Applies to .github/dependabot.yml : Dependabot auto-updates Docker image digests and versions daily

Applied to files:

• .github/dependabot.yml

📚 Learning: 2026-03-14T11:20:53.699Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T11:20:53.699Z
Learning: Applies to .pre-commit-config.yaml : Pre-commit autoupdate disabled (autoupdate_schedule: never) — Dependabot owns hook version bumps via pre-commit ecosystem

Applied to files:

• .github/dependabot.yml

📚 Learning: 2026-03-14T11:20:53.699Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-14T11:20:53.699Z
Learning: Commit messages must follow format: <type>: <description> — types are feat, fix, refactor, docs, test, chore, perf, ci — enforced by commitizen

Applied to files:

• .github/dependabot.yml

🔇 Additional comments (2)

.github/dependabot.yml (2)

15-16: LGTM! Major grouping added consistently across non-Docker ecosystems.

The major update-type groups are correctly added alongside existing minor-and-patch groups for uv, github-actions, pre-commit, and both npm configurations. This will ensure interdependent major version bumps within each ecosystem are batched into a single PR.

Also applies to: 34-35, 53-54, 74-75, 93-94

---

109-113: LGTM! Docker configs now have consistent grouping.

The three Docker ecosystem configurations (/docker/backend, /docker/web, /docker/sandbox) now include both minor-and-patch and major groups, bringing them in line with the other ecosystems. This ensures consistency across all Dependabot configurations.

Based on learnings: Dependabot auto-updates Docker image digests and versions daily — this change maintains the daily schedule while adding proper version grouping.

Also applies to: 128-132, 147-151

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated dependency management configuration to support automatic major-version updates across multiple package ecosystems.

Walkthrough

This change adds major version update groups to Dependabot configurations across multiple package ecosystems (uv, github-actions, pre-commit, npm, and docker), enabling automatic major-version dependency updates alongside existing minor and patch updates.

Changes

Cohort / File(s)	Summary
Dependabot Configuration .github/dependabot.yml	Added major update-type groups to multiple ecosystem configurations (uv, github-actions, pre-commit, npm, docker). Each major group is inserted under the corresponding minor-and-patch group with update-types: [major] setting.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• PR #369: Modifies the same .github/dependabot.yml file by adding and adjusting Dependabot ecosystem configurations, creating potential overlap or dependency with this major update-type group addition.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: group major dependabot bumps per ecosystem' accurately describes the main change—organizing major dependency updates by ecosystem.
Description check	✅ Passed	The description provides detailed context about the changes, motivation, and test plan, all directly related to the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/dependabot-group-majors

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch chore/dependabot-group-majors

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the repository’s Dependabot configuration to group major version bumps per ecosystem, reducing conflicting PRs for interdependent dependencies (e.g., peer-dependency major upgrades landing separately).

Changes:

• Add a major Dependabot group (update-types: [major]) to all configured ecosystems.
• Add missing minor-and-patch grouping to all Docker ecosystem configs for consistency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR updates .github/dependabot.yml to group major version bumps together (per ecosystem) so that interdependent major upgrades — like echarts 5→6 and vue-echarts 7→8 — land in a single PR instead of separate, conflicting ones. It also backfills the missing minor-and-patch group to the three Docker ecosystem configs for consistency with the other five.

Key changes:

• Adds major: update-types: [major] group to all 8 ecosystem blocks (uv, github-actions, pre-commit, npm ×2, docker ×3)
• Adds minor-and-patch + major groups to the three previously ungrouped Docker entries (/docker/backend, /docker/web, /docker/sandbox)
• The YAML is valid and the grouping logic is sound; every update type (minor, patch, major) is now covered by a named group across all ecosystems
• Existing open individual major PRs (chore: bump echarts from 5.6.0 to 6.0.0 in /web #380, chore: bump vue-echarts from 7.0.3 to 8.0.1 in /web #384) will need to be closed manually — Dependabot will recreate them as grouped PRs on the next run, as acknowledged in the test plan

Confidence Score: 5/5

• This PR is safe to merge — it only modifies Dependabot grouping configuration with no runtime impact.
• The change is limited to a single CI configuration file. The YAML structure is valid, the grouping logic is correct and consistent across all 8 ecosystem entries, and the motivation is well-documented. There are no code changes, no logic paths affected, and the side-effects (existing open individual major PRs needing manual closure) are explicitly acknowledged in the PR.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/dependabot.yml	Adds a major update-type group to all 8 ecosystem configs (uv, github-actions, pre-commit, npm ×2, docker ×3) and backfills the missing minor-and-patch group to the 3 Docker configs; YAML structure is valid and consistent.

_{Last reviewed commit: ae3d8ba}

[gemini-code-assist]

Code Review

This pull request updates the Dependabot configuration to group dependency updates. Specifically, it adds groups for major updates across all ecosystems and adds minor/patch groups for Docker ecosystems for consistency. This is motivated by a desire to handle interdependent major version bumps in a single PR.

My review suggests a more targeted approach for grouping major updates. Instead of grouping all major updates together, which could lead to large and complex PRs, I recommend using pattern-based groups for specifically known interdependent packages. This would solve the stated problem while keeping other major updates separate and easier to manage. An example is provided for the npm ecosystem.

[gemini-code-assist]

While grouping all major updates will solve the problem of interdependent packages, it might create large and hard-to-review pull requests by bundling unrelated major version bumps. This could make it difficult to roll back a specific update if it causes issues.

A more targeted approach would be to use pattern-based grouping only for the packages that are known to be interdependent. This would solve the issue you described with echarts and vue-echarts without affecting other major updates.

For example, you could configure it like this:

      echarts-stack:
        patterns:
          - "echarts"
          - "vue-echarts"
        update-types:
          - "major"

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.83%. Comparing base (2db968a) to head (ae3d8ba).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #388   +/-   ##
=======================================
  Coverage   93.83%   93.83%           
=======================================
  Files         462      462           
  Lines       21653    21653           
  Branches     2079     2079           
=======================================
  Hits        20319    20319           
  Misses       1032     1032           
  Partials      302      302           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.