From 34437b24b52b7d1630d552499ffded679e168f2f Mon Sep 17 00:00:00 2001 From: Vijit Singh Date: Thu, 18 Jun 2026 03:53:10 -0500 Subject: [PATCH] build(#282): scope Dependabot to safe updates (docker digest/patch-only, pin protobuf/grpcio) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up after the first Dependabot run proposed breaking major bumps: - docker: ignore semver-major/minor — base-image upgrades (python 3.11->3.14, ubuntu 24.04->26.04) are deliberate migrations, not security updates; keep Dependabot to digest + patch within the tag. - uv (python): ignore protobuf/grpcio majors — both are pinned to what the vendored Tari gRPC stubs assert at import time (pyproject comment); a major needs the stubs regenerated first. Closed the two offending PRs (#300 docker majors, #301 protobuf 7); #299 (action bumps) is safe. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 079e528..c5484ae 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -20,6 +20,13 @@ updates: groups: python: patterns: ["*"] + ignore: + # protobuf/grpcio are pinned to what the vendored Tari gRPC stubs assert at import time + # (see build/dashboard/pyproject.toml); a major bump needs the stubs regenerated first. + - dependency-name: "protobuf" + update-types: ["version-update:semver-major"] + - dependency-name: "grpcio" + update-types: ["version-update:semver-major"] # Base-image digests across every build/* Dockerfile (incl. the uv build image). This is the # mechanism that clears base-distro CVEs — e.g. the openssl point-release accepted in .trivyignore. @@ -35,3 +42,8 @@ updates: groups: docker: patterns: ["*"] + ignore: + # Major/minor base bumps (e.g. python 3.11->3.14, ubuntu 24.04->26.04) are deliberate + # migrations, not security updates — keep Dependabot to digest + patch within the pinned tag. + - dependency-name: "*" + update-types: ["version-update:semver-major", "version-update:semver-minor"]