Group non-breaking dependabot PRs together to reduce review load

.github/dependabot.yml

     return "\n".join(messages) 
 def build_dependabot_changelog(repo: Repo, current_version: version.Version) -> str: 
     """Summarise dependabot commits between `current_version` and `release_branch`. 
     Returns an empty string if there have been no such commits; otherwise outputs a 
     third-level markdown header followed by an unordered list.""" 
     last_release_commit = repo.tag("v" + str(current_version)).commit 
     rev_spec = f"{last_release_commit.hexsha}.." 
     commits = list(git.objects.Commit.iter_items(repo, rev_spec)) 
     messages = [] 
     for commit in reversed(commits): 
         if commit.author.name == "dependabot[bot]": 
             message: Union[str, bytes] = commit.message 
             if isinstance(message, bytes): 
                 message = message.decode("utf-8") 
             messages.append(message.split("\n", maxsplit=1)[0]) 
     if not messages: 
         print(f"No dependabot commits in range {rev_spec}", file=sys.stderr) 
         return "" 
     messages.sort() 
     def replacer(match: Match[str]) -> str: 
         desc = match.group(1) 
         number = match.group(2) 
         return f"* {desc}. ([\\#{number}](https://github.com/element-hq/synapse/issues/{number}))" 
     for i, message in enumerate(messages): 
         messages[i] = re.sub(r"(.*) \(#(\d+)\)$", replacer, message) 
     messages.insert(0, "### Updates to locked dependencies\n") 
     # Add an extra blank line to the bottom of the section 
     messages.append("") 
     return "\n".join(messages) 
@@ -5,19 +5,65 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    # Group patch updates to packages together into a single PR, as they rarely
+    # if ever contain breaking changes that need to be reviewed separately.
+    # 
+    # Less PRs means a streamlined review process.
+    #
+    # Python packages follow semantic versioning, and tend to only introduce
+    # breaking changes in major version bumps. Thus, we'll group minor and patch
+    # versions together.
+    groups:
+      minor-and-patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
 
   - package-ecosystem: "docker"
     directory: "/docker"
     schedule:
       interval: "weekly"
+    # For container versions, breaking changes are also typically only introduced in major
+    # package bumps.
+    groups:
+      minor-and-patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    # Similarly for GitHub Actions, breaking changes are typically only introduced in major
+    # package bumps.
+    groups:
+      minor-and-patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
 
   - package-ecosystem: "cargo"
     directory: "/"
     versioning-strategy: "lockfile-only"
     schedule:
       interval: "weekly"
+    # The Rust ecosystem is special in that breaking changes are often introduced
+    # in minor version bumps, as packages typically stay pre-1.0 for a long time.
+    # Thus we specifically keep minor version bumps separate in their own PRs.
+    groups:
+      patches:
+        applies-to: version-updates
+        patterns:
+          - "*"
+        update-types:
+          - "patch"

changelog.d/18402.misc

@@ -0,0 +1 @@
+Group together dependabot update PRs to reduce the review load.