rules

Configuration

name: rules

type: array

default: []

{
  "name": "company/project",
  "extra": {
    "violinist": {
      "rules": []
    }
  }
}

Define package-specific configuration rules that override the default settings.

This option is currently in beta. This means its options are considered stable (no backwards incompatible changes will be added), but that there are some stability and usability improvements expected.

Explanation

The rules option allows you to apply different configuration settings to different groups of packages. This is useful when you want to handle certain packages differently from your default configuration. For example, you might want to apply security-only updates to development tools while allowing all updates for production dependencies.

Rules are evaluated in order, and when a package matches a rule, the configuration from that rule is merged with your default configuration.

Comparison with bundled_packages

If you want to group packages together in a more flexible pattern than using bundled_packages, then rules is for you. The main differences are:

• bundled_packages will only update its bundled packages if the "parent" package has an update, while rules can update the group if any of the packages has an update.
• Rules make it possible to have different configurations per group. For example, you can automerge one group but not others.
• Rules support pattern matching with wildcards and negation, making them much more flexible.

Structure

Rules is an array of rule objects. Each rule object has the following structure:

{
  "rules": [
    {
      "name": "Human readable name",
      "slug": "machine-readable-slug",
      "matchRules": [
        {
          "type": "names",
          "values": ["vendor/*", "!vendor/excluded-package"]
        }
      ],
      "config": {
        "blocklist": [],
        "branch_prefix": "deps/",
        "security_updates_only": 1
      }
    }
  ]
}

Rule Properties

Property	Type	Description
name	string	A human-readable name for the rule (for documentation purposes)
slug	string	A machine-readable identifier for the rule
matchRules	array	An array of match rule objects that determine which packages this rule applies to
config	object	Configuration options to apply when a package matches

Match Rules

Match rules determine which packages a rule applies to. Each match rule has a type and associated properties.

Type: names

Match packages by name using fnmatch patterns.

Pattern	Description
vendor/*	Match all packages from a vendor
vendor/package	Match a specific package
vendor/prefix-*	Match packages with a specific prefix
!vendor/package	Exclude a specific package (negative match)

When using negative matches (!), the package is excluded from the rule even if it matches a positive pattern. This allows you to select a broad group of packages and then exclude specific ones.

{
  "matchRules": [
    {
      "type": "names",
      "values": [
        "drupal/*",
        "!drupal/core-recommended",
        "!drupal/core-composer-scaffold"
      ]
    }
  ]
}

This example matches all drupal/* packages except drupal/core-recommended and drupal/core-composer-scaffold.

Config Overrides

Within a rule's config object, you can override most configuration options. The configuration from matching rules is merged with your default configuration.

Overridable Options

The following options can be used within rules:

• allow_list
• allow_update_indirect_with_direct
• allow_updates_beyond_constraint
• always_allow_direct_dependencies
• always_update_all
• assignees
• automerge
• automerge_method
• automerge_method_security
• automerge_security
• blocklist
• branch_prefix
• bundled_packages
• check_only_direct_dependencies
• commit_message_convention
• composer_outdated_flag
• default_branch
• default_branch_security
• ignore_platform_requirements
• labels
• labels_security
• one_pull_request_per_package
• run_scripts
• security_updates_only
• update_dev_dependencies
• update_with_dependencies

Root-level Only Options

The following options cannot be overridden in rules and only apply at the root configuration level:

• number_of_concurrent_updates
• allow_security_updates_on_concurrent_limit
• timeframe_disallowed
• timezone

Examples

Security-only updates for dev dependencies

Only receive security updates for development tools while allowing all updates for production dependencies:

{
  "name": "company/project",
  "extra": {
    "violinist": {
      "rules": [
        {
          "name": "Dev tools - security only",
          "slug": "dev-tools-security",
          "matchRules": [
            {
              "type": "names",
              "values": ["phpunit/*", "phpstan/*", "squizlabs/*", "friendsofphp/*"]
            }
          ],
          "config": {
            "security_updates_only": 1
          }
        }
      ]
    }
  }
}

Bundling Drupal Core packages

Bundle all Drupal core packages together so they update in a single pull request:

{
  "name": "company/drupal-project",
  "extra": {
    "violinist": {
      "rules": [
        {
          "name": "Drupal Core packages",
          "slug": "drupal-core",
          "matchRules": [
            {
              "type": "names",
              "values": ["drupal/core-recommended"]
            }
          ],
          "config": {
            "bundled_packages": {
              "drupal/core-recommended": [
                "drupal/core-composer-scaffold",
                "drupal/core-project-message"
              ]
            }
          }
        }
      ],
      "blocklist": [
        "drupal/core-composer-scaffold",
        "drupal/core-project-message"
      ]
    }
  }
}

Custom branch prefixes per package group

Use different branch prefixes for different types of dependencies:

{
  "name": "company/project",
  "extra": {
    "violinist": {
      "rules": [
        {
          "name": "Framework updates",
          "slug": "framework",
          "matchRules": [
            {
              "type": "names",
              "values": ["symfony/*", "laravel/*"]
            }
          ],
          "config": {
            "branch_prefix": "deps/framework/"
          }
        },
        {
          "name": "Testing tools",
          "slug": "testing",
          "matchRules": [
            {
              "type": "names",
              "values": ["phpunit/*", "mockery/*", "fakerphp/*"]
            }
          ],
          "config": {
            "branch_prefix": "deps/testing/"
          }
        }
      ]
    }
  }
}

Disable dev dependency updates for Drupal contrib

Update dev dependencies by default but disable them for Drupal contrib modules:

{
  "name": "company/drupal-project",
  "extra": {
    "violinist": {
      "update_dev_dependencies": 1,
      "rules": [
        {
          "name": "Drupal Contrib",
          "slug": "drupal-contrib",
          "matchRules": [
            {
              "type": "names",
              "values": [
                "drupal/*",
                "!drupal/core-*"
              ]
            }
          ],
          "config": {
            "update_dev_dependencies": 0
          }
        }
      ]
    }
  }
}

Automerge minor updates for specific packages

Automatically merge minor updates for well-tested packages while requiring manual review for others:

{
  "name": "company/project",
  "extra": {
    "violinist": {
      "rules": [
        {
          "name": "Trusted packages - automerge",
          "slug": "trusted-automerge",
          "matchRules": [
            {
              "type": "names",
              "values": ["psr/*", "symfony/polyfill-*"]
            }
          ],
          "config": {
            "automerge": 1,
            "composer_outdated_flag": "minor"
          }
        }
      ]
    }
  }
}

Rule Precedence

When a package matches multiple rules, the configurations are merged in order. Later rules can override settings from earlier rules. If you have overlapping patterns, place more specific rules after more general ones.

Note: Root-level configuration is always applied first, then rules are evaluated and merged in the order they appear.