From 282bb7ed02b2ca52fe611ab8222158b69fae4b94 Mon Sep 17 00:00:00 2001
From: Lindsay Holmwood <lindsay@holmwood.id.au>
Date: Thu, 21 May 2026 16:34:39 +1000
Subject: [PATCH] ci(dependabot): ignore major version updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dependabot's `groups`/`update-types` only controls how updates are
bundled into PRs, not whether PRs are opened. Major bumps that match no
group (e.g. zod 3→4, vitest 3→4) were still raised as individual PRs.

Add an `ignore` rule for `version-update:semver-major` to both the npm
and github-actions ecosystems so major bumps are reviewed and applied
manually.
---
 .github/dependabot.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 68ac1bd1..db49ec64 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -34,10 +34,13 @@ updates:
       type-definitions:
         patterns:
           - "@types/*"
-    # Major bumps stay un-grouped → one PR each, easier to review.
     ignore:
       # Catalog-managed; bump manually via pnpm-workspace.yaml + changeset.
       - dependency-name: "@cipherstash/auth"
+      # Major bumps are reviewed and applied manually, not by Dependabot.
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
 
   # ── GitHub Actions ─────────────────────────────────────────────
   - package-ecosystem: github-actions
@@ -60,3 +63,8 @@ updates:
         update-types:
           - minor
           - patch
+    ignore:
+      # Major bumps are reviewed and applied manually, not by Dependabot.
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major