Group non-breaking dependabot PRs together to reduce review load

[anoadragon453]

While it's great that we have dependabot updating our PRs, the sheer amount of PRs it produces has a few side effects:

• It causes the overall synapse-core PR review backlog to be bloated, which leads developers to feel that we're getting underwater.
• It creates an intimidating number of PRs to review, meaning that dependency updates actually happen less frequently.
• The review process becomes monotonous as most of the time you're waiting for GitHub's UI to load and just pressing buttons.
• We use less CI minutes.

Thus it seems necessary to try and group the PRs that don't need very careful review together into a single PR. See the comments in the patch for the chosen rules and the justification.

Further reading: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#prioritizing-meaningful-updates

Originally suggested by the Server Products Team, and used successfully in the SBG/TI-Messenger repos.

Pull Request Checklist

• Pull request is based on the develop branch
• Pull request includes a changelog file. The entry should:
  • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
  • Use markdown where necessary, mostly for code blocks.
  • End with either a period (.) or an exclamation mark (!).
  • Start with a capital letter.
  • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
• Code style is correct
  (run the linters)

[anoadragon453]

@sandhose questioned in an internal meeting whether this would be compatible with what we do for towncrier changelog entries for dependabot PRs in the release script:

synapse/scripts-dev/release.py

Lines 929 to 961 in 740fc88

	def build_dependabot_changelog(repo: Repo, current_version: version.Version) -> str:
	"""Summarise dependabot commits between `current_version` and `release_branch`.
	Returns an empty string if there have been no such commits; otherwise outputs a
	third-level markdown header followed by an unordered list."""
	last_release_commit = repo.tag("v" + str(current_version)).commit
	rev_spec = f"{last_release_commit.hexsha}.."
	commits = list(git.objects.Commit.iter_items(repo, rev_spec))
	messages = []
	for commit in reversed(commits):
	if commit.author.name == "dependabot[bot]":
	message: Union[str, bytes] = commit.message
	if isinstance(message, bytes):
	message = message.decode("utf-8")
	messages.append(message.split("\n", maxsplit=1)[0])
	if not messages:
	print(f"No dependabot commits in range {rev_spec}", file=sys.stderr)
	return ""
	messages.sort()
	def replacer(match: Match[str]) -> str:
	desc = match.group(1)
	number = match.group(2)
	return f"* {desc}. ([\\#{number}](https://github.com/element-hq/synapse/issues/{number}))"
	for i, message in enumerate(messages):
	messages[i] = re.sub(r"(.*) \(#(\d+)\)$", replacer, message)
	messages.insert(0, "### Updates to locked dependencies\n")
	# Add an extra blank line to the bottom of the section
	messages.append("")
	return "\n".join(messages)

[anoadragon453]

From checking internal repos that have grouping of dependabot PRs enabled, dependabot will create one commit with the title "Bump the patches group with 5 updates" and then a markdown table with the old/new versions:

| Package | From | To |
| --- | --- | --- |
| [tower-http](https://github.com/tower-rs/tower-http) | `0.6.4` | `0.6.5` |
| [hyper-util](https://github.com/hyperium/hyper-util) | `0.1.12` | `0.1.13` |
| [ruma](https://github.com/ruma/ruma) | `0.12.2` | `0.12.3` |
| [clap](https://github.com/clap-rs/clap) | `4.5.38` | `4.5.39` |
| [ruma-events](https://github.com/ruma/ruma) | `0.30.2` | `0.30.3` |

as well as a yaml-based list:

updated-dependencies:
- dependency-name: tower-http
  dependency-version: 0.6.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patches
- dependency-name: hyper-util
  dependency-version: 0.1.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patches
- dependency-name: ruma
  dependency-version: 0.12.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patches
- dependency-name: clap
  dependency-version: 4.5.39
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patches
- dependency-name: ruma-events
  dependency-version: 0.30.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: patches

the release script could parse one of these so that we still have a single line per update in the changelog. But I'm not sure how much folks actually care. I suppose this is one to ask the Synapse package maintainers matrix room...

[anoadragon453]

The Synapse package maintainers said they don't use this information, so let's drop it.

Should be unblocked by #19254, which removes said section from the release script/changelog.

[devonh]

Thanks for taking this on.
The grouping choices seem sane to me. I think it will be best just to try this out for a while and see how things go.

It looks easy to tweak these setting in the future if we find that a different grouping setup would be better.

[anoadragon453]

If it's any reassurance, we currently make use of this on the (internal) ti-messenger-proxy repo. You can see an example of what a grouped PR looks like here: https://github.com/element-hq/ti-messenger-proxy/pull/769