Consolidate schedule for Dependabot updates

[SteveSandersonMS]

We just got dozens of PRs from Dependabot. This should reduce it to one per week.

[Copilot]

Pull request overview

This pull request attempts to consolidate Dependabot update schedules to reduce the frequency of dependency update PRs from multiple individual PRs to a single weekly batch. The change introduces a multi-ecosystem-groups configuration that aims to group all package ecosystems (GitHub Actions, devcontainers, npm, pip, gomod, and nuget) under a single schedule.

Changes:

• Adds a multi-ecosystem-groups configuration with a weekly schedule
• Removes individual schedule blocks from each package ecosystem configuration
• Adds multi-ecosystem-group: 'all' references to all seven package ecosystem entries

Comments suppressed due to low confidence (1)

.github/dependabot.yaml:5

• The multi-ecosystem-groups feature appears to use incorrect syntax. According to GitHub's Dependabot configuration schema, the correct top-level key is groups (not multi-ecosystem-groups), and individual package ecosystems should reference groups using the groups field (not multi-ecosystem-group).

The schedule should be defined at the individual update level, not at the group level. Groups in Dependabot are used to bundle dependency updates together in a single PR, but schedules must still be defined per package ecosystem.

Please verify this configuration against the official Dependabot documentation. The intended behavior (consolidating updates to reduce PR volume) might require using dependency groups differently than shown here.

multi-ecosystem-groups:
  all:
    schedule:
      interval: 'weekly'

[Copilot]

The removal of individual schedule configurations from each package ecosystem combined with the use of multi-ecosystem-group: 'all' may not work as intended. Each package ecosystem entry in Dependabot typically requires its own schedule configuration. Without individual schedules, Dependabot may not know when to check for updates for these ecosystems.

If the goal is to group updates together to reduce the number of PRs, consider using the groups feature properly (with schedules still defined per ecosystem) or explore other Dependabot configuration options like open-pull-requests-limit.

This issue also appears on line 2 of the same file.

See below for a potential fix:

    multi-ecosystem-group: 'all'
    schedule:
      interval: 'weekly'
  - package-ecosystem: 'devcontainers'
    directory: '/'
    multi-ecosystem-group: 'all'
    schedule:
      interval: 'weekly'
  # Node.js dependencies
  - package-ecosystem: 'npm'
    directory: '/nodejs'
    multi-ecosystem-group: 'all'
    schedule:
      interval: 'weekly'
  - package-ecosystem: 'npm'
    directory: '/test/harness'
    multi-ecosystem-group: 'all'
    schedule:
      interval: 'weekly'
  # Python dependencies
  - package-ecosystem: 'pip'
    directory: '/python'
    multi-ecosystem-group: 'all'
    schedule:
      interval: 'weekly'
  # Go dependencies
  - package-ecosystem: 'gomod'
    directory: '/go'
    multi-ecosystem-group: 'all'
    schedule:
      interval: 'weekly'
  # .NET dependencies
  - package-ecosystem: 'nuget'
    directory: '/dotnet'
    multi-ecosystem-group: 'all'
    schedule:
      interval: 'weekly'

[SteveSandersonMS]

I got this config format from docs: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#multi-ecosystem-groups