feat: grouped updates for Dependabot

Signed-off-by: Henry Schreiner <[email protected]>
scientific-python · Dec 20, 2023 · edae679 · edae679
1 parent 003011d
commit edae679
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 3 deletions.
diff --git a/docs/pages/guides/gha_basic.md b/docs/pages/guides/gha_basic.md
@@ -142,14 +142,20 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"
 ```
 
 This will check to see if there are updates to the action weekly, and will make
 a PR if there are updates, including the changelog and commit summary in the PR.
 If you select a name like `v1`, this should only look for updates of the same
 form (since April 2022) - there is no need to restrict updates for "moving tag"
-updates anymore {% rr PY006 %}. You can also use SHA's and dependabot will
-respect that too.
+updates anymore {% rr GH211 %}. You can also use SHA's and dependabot will
+respect that too. And `groups` will combine actions updates {% rr GH212 %},
+which is both cleaner and sometimes required for dependent actions, like
+`upload-artifact`/`download-artifact`.
 
 You can use this for other ecosystems too, including Python.
 

diff --git a/src/sp_repo_review/checks/github.py b/src/sp_repo_review/checks/github.py
@@ -149,7 +149,11 @@ def check(dependabot: dict[str, Any]) -> bool:
           - package-ecosystem: "github-actions"
             directory: "/"
             schedule:
-            interval: "weekly"
+              interval: "weekly"
+            groups:
+              actions:
+                patterns:
+                  - "*"
         ```
         """
         for ecosystem in dependabot.get("updates", []):
@@ -179,5 +183,34 @@ def check(dependabot: dict[str, Any]) -> bool:
         return True
 
 
+class GH212(GitHub):
+    "Require GHA update grouping"
+
+    requires = {"GH200", "GH210"}
+    url = mk_url("gha-basic")
+
+    @staticmethod
+    def check(dependabot: dict[str, Any]) -> bool:
+        """
+        Projects should group their updates to avoid extra PRs and stay in sync.
+        This is now supported by dependabot since June 2023.
+
+        ```yaml
+            groups:
+              actions:
+                patterns:
+                  - "*"
+        ```
+        """
+
+        for ecosystem in dependabot.get("updates", []):
+            if (
+                ecosystem.get("package-ecosystem", "") == "github-actions"
+                and "groups" not in ecosystem
+            ):
+                return False
+        return True
+
+
 def repo_review_checks() -> dict[str, GitHub]:
     return {p.__name__: p() for p in GitHub.__subclasses__()}
diff --git a/{{cookiecutter.project_name}}/.github/dependabot.yml b/{{cookiecutter.project_name}}/.github/dependabot.yml
@@ -5,3 +5,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"