mirror of
https://github.com/NVIDIA-NeMo/DataDesigner
synced 2026-05-24 09:48:29 +00:00
47be28c799
* fix: restrict Dependabot pip updates to security-only The Dependabot config added in #517 included weekly version-bump PRs for all three pip packages. This would generate noisy PRs for routine dep updates we don't need. Set open-pull-requests-limit: 0 on the pip ecosystems so only CVE-triggered security updates open PRs. GitHub Actions weekly bumps are kept as-is to keep SHA pins current. * fix: group Dependabot Actions PRs and fix DCO allowlist - Add a Dependabot group to bundle all GitHub Actions updates into a single weekly PR instead of one per action - Fix DCO allowlist: dependabot -> dependabot[bot] to match the actual GitHub username (the old value never matched, but there were no Dependabot PRs before #517 to expose the bug) * fix: align DCO assistant if-condition with custom sign-off text The step's if-condition checked for the default sign-off text but custom-pr-sign-comment uses different wording. This meant the issue_comment trigger was always skipped - sign-offs only worked by accident when a subsequent push re-triggered the action via pull_request_target.
33 lines
761 B
YAML
33 lines
761 B
YAML
version: 2
|
|
updates:
|
|
- package-ecosystem: github-actions
|
|
directory: /
|
|
schedule:
|
|
interval: weekly
|
|
groups:
|
|
all-actions:
|
|
patterns:
|
|
- "*"
|
|
commit-message:
|
|
prefix: "ci"
|
|
- package-ecosystem: pip
|
|
directory: /packages/data-designer-config
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 0
|
|
commit-message:
|
|
prefix: "chore"
|
|
- package-ecosystem: pip
|
|
directory: /packages/data-designer-engine
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 0
|
|
commit-message:
|
|
prefix: "chore"
|
|
- package-ecosystem: pip
|
|
directory: /packages/data-designer
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 0
|
|
commit-message:
|
|
prefix: "chore"
|