feat: groups for dependabot (#348)

* ci: group dependabot updates

Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>

* feat: grouped updates for Dependabot

Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>

---------

Signed-off-by: Henry Schreiner <henryschreineriii@gmail.com>

.github/dependabot.yml

@@ -5,3 +5,7 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    groups:
+      actions:
+        patterns:
+          - "*"

README.md

@@ -348,6 +348,7 @@ for family, grp in itertools.groupby(collected.checks.items(), key=lambda x: x[1
 - [`GH200`](https://learn.scientific-python.org/development/guides/gha-basic#GH200): Maintained by Dependabot
 - [`GH210`](https://learn.scientific-python.org/development/guides/gha-basic#GH210): Maintains the GitHub action versions with Dependabot
 - [`GH211`](https://learn.scientific-python.org/development/guides/gha-basic#GH211): Do not pin core actions as major versions
+- [`GH212`](https://learn.scientific-python.org/development/guides/gha-basic#GH212): Require GHA update grouping
 
 ### MyPy
 - [`MY100`](https://learn.scientific-python.org/development/guides/style#MY100): Uses MyPy (pyproject config)

docs/pages/guides/gha_basic.md

@@ -142,14 +142,20 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"
 ```
 
 This will check to see if there are updates to the action weekly, and will make
 a PR if there are updates, including the changelog and commit summary in the PR.
 If you select a name like `v1`, this should only look for updates of the same
 form (since April 2022) - there is no need to restrict updates for "moving tag"
-updates anymore {% rr PY006 %}. You can also use SHA's and dependabot will
-respect that too.
+updates anymore {% rr GH211 %}. You can also use SHA's and dependabot will
+respect that too. And `groups` will combine actions updates {% rr GH212 %},
+which is both cleaner and sometimes required for dependent actions, like
+`upload-artifact`/`download-artifact`.
 
 You can use this for other ecosystems too, including Python.
 

src/sp_repo_review/checks/github.py

@@ -149,7 +149,11 @@ def check(dependabot: dict[str, Any]) -> bool:
           - package-ecosystem: "github-actions"
             directory: "/"
             schedule:
-            interval: "weekly"
+              interval: "weekly"
+            groups:
+              actions:
+                patterns:
+                  - "*"
         ```
         """
         for ecosystem in dependabot.get("updates", []):
@@ -179,5 +183,34 @@ def check(dependabot: dict[str, Any]) -> bool:
         return True
 
 
+class GH212(GitHub):
+    "Require GHA update grouping"
+
+    requires = {"GH200", "GH210"}
+    url = mk_url("gha-basic")
+
+    @staticmethod
+    def check(dependabot: dict[str, Any]) -> bool:
+        """
+        Projects should group their updates to avoid extra PRs and stay in sync.
+        This is now supported by dependabot since June 2023.
+
+        ```yaml
+            groups:
+              actions:
+                patterns:
+                  - "*"
+        ```
+        """
+
+        for ecosystem in dependabot.get("updates", []):
+            if (
+                ecosystem.get("package-ecosystem", "") == "github-actions"
+                and "groups" not in ecosystem
+            ):
+                return False
+        return True
+
+
 def repo_review_checks() -> dict[str, GitHub]:
     return {p.__name__: p() for p in GitHub.__subclasses__()}

{{cookiecutter.project_name}}/.github/dependabot.yml

@@ -5,3 +5,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"