From e21c986b15001659512cc72a39c6448979127e22 Mon Sep 17 00:00:00 2001 From: Sin-Kang Date: Sat, 23 May 2026 16:43:53 +0900 Subject: [PATCH] fix(deps): hold Spring Boot/Framework/Gradle majors until starter certifies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After yesterday's dependabot.yml went live, Dependabot opened 18 individual PRs to bump every demo from Spring Boot 3.5.3 → 4.0.6 and Gradle wrapper 8.10.2 → 9.5.1 (#19-#36). The grouped PRs (e.g. #18 for spring-boot patch/minor) worked correctly; what didn't was that default group semantics excluded `version-update:semver-major`, so major bumps escaped grouping and landed as individual PRs per demo. Beyond the noise, the real problem is that the demos must mirror the Spring Boot baseline each *starter* was certified against — per its README: > Spring Boot 3.3+ on Java 21+ (built/tested against 3.5) easy-paging-spring-boot-starter has not (yet) published a release certified against Spring Boot 4 / Spring Framework 7 / Jakarta EE 11. Auto-bumping demos to SB4 would silently advertise an unverified combination to anyone who clones a demo as a starting point. This commit adds an `ignore` block that holds majors for: - org.springframework.boot:* (the BOM driver) - io.spring.dependency-management - org.springframework:* and org.springframework.cloud:* (transitively pulled in; majors can land off the SB cadence) - gradle (wrapper) — each major needs hand verification of deprecations-now-errors before going green across 9 demos Patch/minor bumps still flow through (and group correctly — PR #18 already proved that path), so security fixes within the 3.5.x line land normally. Lift these holds when each starter publishes its SB4-compatible release line; the demos can then be upgraded together in one intentional PR per starter, not piecemeal by a robot. Follow-up: - Merge PR #18 (grouped patch/minor across 9 demos) and PRs #14-#17 (github-actions minors) since they're inside policy. - Close PRs #19-#36 (18 stragglers); the new policy guarantees they won't reappear on the next Dependabot run. --- .github/dependabot.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 62466ff..f8694a1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -35,6 +35,39 @@ updates: commit-message: prefix: "build(deps)" include: "scope" + # ---------------------------------------------------------------- + # Hold majors at the starter's tested baseline. + # + # The demos exist to showcase the starters at the Spring Boot + # version each starter is *certified against* (per its README). + # Letting Dependabot land a Spring Boot major (3.x → 4.x) ahead of + # the starter's own SB4 release would silently advertise + # incompatible combinations to anyone copying a demo. + # + # When a starter publishes a SB4-compatible release line (e.g. + # easy-paging 0.5.x), this ignore block gets relaxed for that + # specific starter family, and the demos are upgraded together in + # a single PR — not piecemeal by a robot. + # ---------------------------------------------------------------- + ignore: + # Spring Boot + dependency-management major bumps + - dependency-name: "org.springframework.boot:*" + update-types: ["version-update:semver-major"] + - dependency-name: "io.spring.dependency-management" + update-types: ["version-update:semver-major"] + # Spring Framework / Spring Cloud — pulled in transitively by SB, + # but their majors land outside the SB BOM cadence sometimes + - dependency-name: "org.springframework:*" + update-types: ["version-update:semver-major"] + - dependency-name: "org.springframework.cloud:*" + update-types: ["version-update:semver-major"] + # Gradle wrapper — each new major (8 → 9, etc.) needs hand + # verification (deprecations may have become errors). Dependabot + # bumps the *wrapper version*, which doesn't run any code; the + # CI catches breakage on next build, but a major bump deserves + # a dedicated PR with eyes on it, not 9 silent ones. + - dependency-name: "gradle" + update-types: ["version-update:semver-major"] # Group related bumps into single PRs to keep the queue manageable. groups: # devslab-kr starters this repo exists to showcase — every new release