From c5a779e19124069cc80be3da85fd179a55c64fef Mon Sep 17 00:00:00 2001
From: AP Ljungquist <ap@ljungquist.eu>
Date: Tue, 30 Apr 2024 23:17:40 +0200
Subject: [PATCH] Set dependabot group and versioning-strategy

Group dependency updates to reduce noise from pull requests.
Major and security updates are left grouped so that they can be given
careful and, in the case of security updates,  expedited consideration.

Set the versioning strategy to "lockfile-only" because the default
value, presumably "auto", would bump the required version of
dependencies in the manifest(s) and in turn force these requirements
onto our users.

One downside of this is that dependabot will not attempt to "widen"
the versions specified in the manifest(s), which means we may forget
to add support for new major versions. But as of writing the "cargo"
package-ecosystem supports only "auto" and "lockfile-only".
---
 .github/dependabot.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index dac4fdb..c107b74 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,3 +11,10 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      default:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"
+    versioning-strategy: lockfile-only