Dependabot grouped security PR not working as configured

[kaji-bikash]

Select Topic Area

Bug

Body

Our use case:
We have mono-repositories with mixed runtimes - mainly go-lang & NPM ecosystem.

We have "dependency graph", "security alerts" & "grouping" all enabled for the repository for dependabot alerts. As dependabot alerts could be noisy, we wanted to further control "how &/or on what" notification should happen. For this, we have got roughly following configuration in the monorepository.

version: 2
registries:
  github:
    type: git
    url: https://github.com
    username: x-access-token
    password: ${{secrets.ORG_GITHUB_TOKEN}}

updates:
  - package-ecosystem: "gomod"
    directory: "comp/service/service-name/src/"
    registries:
      - github
    open-pull-requests-limit: 0
    labels:
      - security
      - component:service-name
    ignore:
      - dependency-name: "lodash"
    schedule:
      interval: "daily"
      timezone: "Europe/London"
    groups:
      golang-non-major:
        applies-to: security-updates
        update-types:
          - "patch"
          - "minor"
      golang-major:
        applies-to: security-updates
        update-types:
          - "major"
          

We have open-pull-requests-limit: 0 because we are only interested in security updates for now. Dependabot is creating grouped PR with label "dependency" for other code available in monorepository(outside directory comp/service/service-name/src/) but not as instructed in dependabot.yaml.

We have enterprise cloud github version and we are following this blog post - https://github.blog/changelog/2024-03-28-dependabot-grouped-security-updates-generally-available/

When we looked under "security alerts", we see something strange inside some individual alert raised by Dependabot. Picture is worth more here.

Not sure what's going on and what else to give to understand where exactly it is failing or stuck.

Any help is appreciated in solving this!! Major nuisance so far.