From 0483ddbd399dd9b5271e2c6c05f99d6ea6173f24 Mon Sep 17 00:00:00 2001 From: David Gracia Date: Thu, 18 Jun 2026 00:52:34 -0600 Subject: [PATCH] chore(dependabot): weekly + grouped updates to cut Chromatic snapshots MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot was the dominant Chromatic snapshot drain: ~65 of the last 100 Chromatic builds were Dependabot PRs, each a FULL ~89-story rebuild (a lockfile change defeats TurboSnap — a dependency could affect any component), amplified by daily cadence, ungrouped per-package PRs, and a fresh rebuild on every rebase of every open PR. That alone burned a month's OSS-tier budget (7,500) in ~5 days. Switch npm + github-actions updates to weekly, and group the dev-tooling churn into a single PR (plus the existing react/react-dom group; majors stay ungrouped). One grouped weekly PR ≈ one build instead of many. Chromatic still runs on Dependabot PRs — visual checks are NOT skipped, there are just far fewer of them. Auto-merge is preserved: the dev group is dev-only + non-major, matching the dependabot-auto-merge gate. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/dependabot.yml | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c7f1188..557dae8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,18 +7,47 @@ version: 2 updates: - package-ecosystem: 'npm' # See documentation for possible values directory: '/' # Location of package manifests + # Weekly (was daily) + grouped to protect the Chromatic snapshot budget. + # A Dependabot bump always changes the lockfile, and a lockfile change + # defeats TurboSnap (Chromatic does a FULL rebuild of all ~89 stories, + # because a dependency change could affect any component). Daily + + # ungrouped meant ~6 separate PRs/day, each a full rebuild, plus a fresh + # full rebuild on every rebase of every open PR — the dominant snapshot + # drain. Weekly cadence + one grouped dev PR collapses that to roughly a + # single build per week. Chromatic still runs on these PRs (visual checks + # are NOT skipped); there are just far fewer of them. schedule: - interval: 'daily' + interval: 'weekly' groups: # react and react-dom must carry the exact same version — a lone # bump of either one fails every test with React's - # version-mismatch error (see PR #72). + # version-mismatch error (see PR #72). No update-types filter so they + # always move together, including on a major bump. react: patterns: - 'react' - 'react-dom' + # Collapse the dev-tooling churn (Storybook addons, Vite, Vitest, + # ESLint, the chromatic CLI, @types/*, etc.) into ONE weekly PR + # instead of one PR per package. One grouped PR = one Chromatic build + # instead of many. Majors stay ungrouped so a breaking bump is + # reviewed on its own. This keeps the dependabot-auto-merge workflow + # working: the group is dev-only + non-major, so it still matches its + # `dependency-type == direct:development && update-type != major` gate. + dev-dependencies: + dependency-type: 'development' + update-types: + - 'minor' + - 'patch' # Maintain dependencies for GitHub Actions - package-ecosystem: 'github-actions' directory: '/' schedule: - interval: 'daily' + interval: 'weekly' + # One grouped PR for all action bumps (these cost ~0 Chromatic snapshots + # — workflow files are not in the Storybook dependency graph — but + # grouping keeps the PR noise down). + groups: + github-actions: + patterns: + - '*'