Skip to content

Stop Dependabot from applying semver release labels to dependency-update PRs #359

Description

PSModule repositories drive releases from labels: when a pull request merges, its major / minor / patch (release-bump) label decides the repository's next version. Dependabot opens dependency-update pull requests across every repository.

Request

What happens

Dependabot automatically applies a semver-level label — major, minor, or patch — to each dependency-update pull request, matching the dependency's version jump. It does this because the repository already has labels with those exact names (used for release bumping), and Dependabot applies same-named semver labels when they exist. The release workflow then reads that label as this repository's release bump. A dependency's major or minor jump can therefore cut a major or minor release of the module even when the change to the consuming artifact is trivial or invisible.

An issue was raised upstream with Dependabot, but the behaviour persists, so the ecosystem needs to defend against it directly.

Reproduction steps

  1. Use any PSModule repository whose release-bump labels are named major / minor / patch.
  2. Let Dependabot open a github-actions update pull request.
  3. Observe the pull request carries a semver label matching the dependency's jump — e.g. Bump PSModule/Process-PSModule/.github/workflows/workflow.yml from 5.5.0 to 5.5.7 GitHub#606, Bump PSModule/Process-PSModule/.github/workflows/workflow.yml from 5.5.0 to 5.5.4 GitHub#604, and Bump PSModule/Process-PSModule/.github/workflows/workflow.yml from 5.5.0 to 5.5.2 GitHub#602 each carry patch — even though .github/dependabot.yml only requests dependencies + github-actions, never a semver label.

What is expected

  • No semver-based label is present on a Dependabot pull request.
  • A dependency-update pull request never sets the repository's release bump from a Dependabot-applied label.
  • The release bump for a dependency update is decided by the framework (a deterministic default), not by the upstream dependency's semver jump.

Note on label casing

The collision surfaces where release labels are lowercase (major / minor / patch, as in PSModule/GitHub). Repositories whose labels are capitalised (Major / Minor / Patch, as used on this repository's issues) do not match Dependabot's lowercase semver labels and are not affected. The fix must not rely on casing alone.

Acceptance criteria

  • Dependabot-authored pull requests carry no major / minor / patch (or update:*) label after processing.
  • A merged Dependabot pull request produces the intended, deterministic release bump regardless of the upstream jump.
  • Behaviour is consistent across repositories regardless of label casing.
  • No semver-based labelling of dependency pull requests remains in the framework or its templates.

Technical decisions

Root cause. Dependabot applies semver labels (major / minor / patch) to its pull requests when labels of those names exist in the repository (see Dependabot's labels behaviour). PSModule's release-bump labels use exactly those names, so the dependency's jump signal is mistaken by the release workflow for this repository's bump signal. Two different dimensions — the upstream dependency jump and this repository's release bump — share one label set.

Options considered:

  1. Ignore semver labels on Dependabot-authored pull requests during version resolution. In Resolve-PSModuleVersion, when the pull request author is app/dependabot, disregard any major / minor / patch label and apply a deterministic default bump. Central, robust, and independent of label casing.
  2. Strip semver labels from Dependabot pull requests on open. A small pull_request step (guarded on author app/dependabot) removes any major / minor / patch / update:* label so the pull request view is also clean.
  3. Rename release-bump labels so Dependabot cannot match them. Fragile if it leans on casing; a rename touches every repository, the resolver, and the bootstrap — a large blast radius. Rejected as the sole fix.

Chosen approach. Option 1 as the authoritative fix — the resolver is the single source of truth for the bump — combined with Option 2 to keep the pull request presentation clean. The default bump for a dependency update is defined once by the framework.

Documentation reconciliation (MSXOrg). The written standard still prescribes a semver label scheme for update pull requests, which this change removes in practice. Reconcile:

Out of scope. The upstream Dependabot behaviour itself (tracked upstream); this issue defends the ecosystem regardless of the upstream outcome.


Implementation plan

Framework

  • In Resolve-PSModuleVersion, ignore major / minor / patch labels when the pull request author is app/dependabot, and apply the deterministic default bump
  • Decide and document the default release bump for dependency-update pull requests
  • Add a step (or reusable snippet) that removes semver / update:* labels from Dependabot pull requests on open
  • Match major|minor|patch case-insensitively so the fix is casing-independent

Repositories and templates

  • Confirm Template-Action and Template-PSModule seed no semver labelling for Dependabot
  • Verify a representative repository (e.g. PSModule/GitHub) no longer shows semver labels on Dependabot pull requests

Tests

  • Add a test: a Dependabot-authored pull request carrying a major label resolves to the default bump
  • Add a test: semver labels are absent or stripped on Dependabot pull requests

Documentation (MSXOrg/docs)

  • Remove the update:* semver-label scheme from GitHub-Actions.md, dependency-updates/design.md, and dependency-updates/spec.md
  • State that dependency-update pull requests carry no semver-based labels

Metadata

Metadata

Assignees

No one assigned

    Labels

    PatchbugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions