chore(deps): update dependabot/fetch-metadata action to v2.5.0#879
Merged
chore(deps): update dependabot/fetch-metadata action to v2.5.0#879
Conversation
Contributor
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
  DeepSource reviewed changes in the commit range For detailed review results, please see the PR on DeepSource ↗ PR Report Card
Code Review Summary
How are these analyzer statuses calculated?Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings. |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
diffray
bot
added
diffray-review-failed
renovate
bot
force-pushed
the
renovate/dependabot-fetch-metadata-2.x
branch
10 times, most recently
from
5d377f1 to
65ec94c
Compare
renovate
bot
force-pushed
the
renovate/dependabot-fetch-metadata-2.x
branch
from
65ec94c to
129f0c2
Compare
rjmurillo
approved these changes
Feb 21, 2026
Owner
rjmurillo
left a comment
rjmurillo
left a comment
There was a problem hiding this comment.
dependabot/fetch-metadata 2.4.0 to 2.5.0: minor update, GitHub Action only. All CI checks pass. Safe to merge.
5 tasks
rjmurillo
added a commit
that referenced
this pull request
Feb 21, 2026
…915) ## Summary - Disable dependabot for NuGet, consolidate to renovate-only - Consolidate 4 overlapping auto-approve/merge workflows into 1 - Update renovate.json with proper package grouping and exclusion rules - Add `docs/dependency-management.md` documenting package categories and upgrade policies ## Problem Both dependabot and renovate created duplicate PRs for every NuGet update. Dependabot NuGet PRs used "Bump X from A to B" titles that failed the required "Validate PR title" check (conventional commits required), so they could never auto-merge. Four overlapping auto-approve/merge workflows competed with each other, one of which had a broken step referencing a nonexistent step output (`steps.cpr.outputs`). ## Changes ### Dependabot config (`.github/dependabot.yml`) Removed the `nuget` ecosystem. Retained `github-actions` ecosystem (dependabot's fetch-metadata action provides update-type classification for major version gating). ### Workflow consolidation Deleted 3 workflows, kept and expanded 1: - **Deleted:** `auto-approve-and-merge-renovate.yml`, `dependabot-auto-approve.yml`, `dependabot-auto-merge.yml` - **Kept:** `dependabot-approve-and-auto-merge.yml` with separate jobs for dependabot and renovate ### Renovate config (`renovate.json`) - Added `ignoreDeps` for `Microsoft.CodeAnalysis.*` core packages (same policy as former dependabot ignore list) - Grouped `BenchmarkDotNet` + `Perfolizer` as `benchmark-tooling` with `automerge: false` (coordinated updates required due to transitive dependency constraints) - Disabled `System.CommandLine` and `System.CommandLine.Rendering` updates until PerfDiff rewrite (#914) ### Documentation New `docs/dependency-management.md` covers: - Package categories (shipped, build-time, test, benchmark, tools, infrastructure) - Upgrade policies per category - The VersionOverride pattern for non-shipped projects - Lessons from the CS8032/SCI incident (#850) ## Bot PR cleanup performed | Action | PRs | |--------|-----| | Closed (dependabot duplicates) | #903, #902, #890, #880, #909 | | Closed (superseded) | #877 (Meziantou 2.0.302, superseded by 3.x) | | Closed (build failures) | #834 (BenchmarkDotNet), #832 (Perfolizer) | | Closed (PerfDiff breakage) | #821 (dotnet monorepo) | | Merged | #878, #882, #881, #879, #883, #884 | ## Validation - `dotnet build /p:PedanticMode=true`: 0 warnings, 0 errors - `dotnet format`: no changes needed - Tests cannot run locally (machine has .NET 10 only, test TFM is net8.0); CI will validate ## Test plan - [ ] CI build passes - [ ] All tests pass - [ ] No new bot PRs from dependabot for NuGet packages - [ ] Renovate correctly picks up future dependency updates - [ ] Auto-approve/merge workflow fires for new renovate PRs 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Consolidated dependency-update process: moved NuGet management to Renovate, removed several automated auto-approve/auto-merge workflows for bot PRs, and adjusted automerge/approval behavior and rules. * Renovate configuration updated with new groups, ignore lists, and automerge adjustments. * **Documentation** * Added a dependency management guide detailing categories, upgrade policies, configuration patterns, and workflow recommendations. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Cursor Agent <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.4.0→v2.5.0Release Notes
dependabot/fetch-metadata (dependabot/fetch-metadata)
v2.5.0Compare Source
What's Changed
Full Changelog: dependabot/fetch-metadata@v2...v2.5.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.