Customized grouped security updates via Dependabot not working

[kaji-bikash]

Our use case:
We have a mono-repositories with mixed runtimes - mainly go-lang & NPM ecosystem.

We have "dependency graph", "security alerts" & "grouping" all enabled for the repository but we wanted to further control how &/or on what notification should happen. For this, we have got roughly following configuration

version: 2
registries:
  github:
    type: git
    url: https://github.com
    username: x-access-token
    password: ${{secrets.ORG_GITHUB_TOKEN}}

updates:
  - package-ecosystem: "gomod"
    directory: "comp/service/service-name/src/"
    registries:
      - github
    open-pull-requests-limit: 0
    labels:
      - security
      - component:service-name
    ignore:
      - dependency-name: "lodash"
    schedule:
      interval: "daily"
      timezone: "Europe/London"
    groups:
      golang-non-major:
        applies-to: security-updates
        update-types:
          - "patch"
          - "minor"
      golang-major:
        applies-to: security-updates
        update-types:
          - "major"
          

We have open-pull-requests-limit: 0 because we are only interested in security updates for now. Dependabot is creating grouped PR with label "dependency" for other code available in monorepo but not as instructed in dependabot.yaml. Any help is appreciated in solving this!! Major nuisance so far.

We have enterprise cloud github version and we are following this blog post - https://github.blog/changelog/2024-03-28-dependabot-grouped-security-updates-generally-available/

[kaji-bikash]

When we looked under "security alerts", we see something strange inside some individual alert raised by Dependabot. Picture is worth more here.

Not sure what's going on and what else to give to understand where exactly it is failing or stuck. Help @github