Dependabot frequency #144
Comments
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this issue
May 7, 2024
A number of reusable actions, such as actions/checkout, are in old major versions, including versions that use old deprecated versions of Node.js, such as Node 16 (rather than the current Node 20). Dependabot version updates were disabled for Rust crates in GitoxideLabs#143 and GitoxideLabs#144, with other means used to keep things up to date. This does not reverse that even partially, as it enables version updates only for GitHub Actions (which it has not been used on before). Because most actions are specified with major version tags that get reset to the latest stable minor/patch version under that major version, the actual frequency of updates should not be anywhere near daily. Nonetheless, it may make sense to further refine this configuration, such as to check for updates less often as well as to group multiple updates into a single PR when doing so.
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this issue
May 7, 2024
A number of reusable actions, such as actions/checkout, are in old major versions, including versions that use old deprecated versions of Node.js, such as Node 16 (rather than the current Node 20). Dependabot version updates were disabled for Rust crates in GitoxideLabs#143 and GitoxideLabs#144, with other means used to keep things up to date. This does not reverse that even partially, as it enables version updates only for GitHub Actions (which it has not been used on before). Because most actions are specified with major version tags that get reset to the latest stable minor/patch version under that major version, the actual frequency of updates should not be anywhere near daily. Nonetheless, it may make sense to further refine this configuration, such as to check for updates less often as well as to group multiple updates into a single PR when doing so.
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this issue
Nov 11, 2024
In the past (GitoxideLabs#143), Dependabot version updates had been used to keep `cargo` dependencies up to date. This was removed in favor of doing manual updates based on automatic reports from `cargo deny` and the old `dependabot.yml` was kept but renamed to disable it and point people to GitoxideLabs#144 to learn about the change. Since then, Dependabot security updates, which are distinct from Dependabot version updates, were enabled (see GitoxideLabs#1254), and later, Dependabot version updates were reintroduced for GitHub Actions only (GitoxideLabs#1357). At that point, there were two Dependabot-related YAML files: the old disabled one, and the new one for GHA. This removes the old one, explaining the situation in a comment in the new one, including a link to GitoxideLabs#144. While doing so, this also adjusts the YAML code style there, to bring it in line with the style of most other YAML files in the repository.
EliahKagan
added a commit
to EliahKagan/gitoxide
that referenced
this issue
Nov 11, 2024
In the past (GitoxideLabs#143), Dependabot version updates had been used to keep `cargo` dependencies up to date. This was removed in favor of doing manual updates based on automatic reports from `cargo deny` and the old `dependabot.yml` was kept but renamed to disable it and point people to GitoxideLabs#144 to learn about the change. Since then, Dependabot security updates, which are distinct from Dependabot version updates, were enabled (see GitoxideLabs#1254), and later, Dependabot version updates were reintroduced for GitHub Actions only (GitoxideLabs#1357). At that point, there were two Dependabot-related YAML files: the old disabled one, and the new one for GHA. This removes the old one, explaining the situation in a comment in the new one, including a link to GitoxideLabs#144. While doing so, this also adjusts the YAML code style there, to bring it in line with the style of most other YAML files in the repository.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Discussed in #143
Originally posted by edward-shen July 30, 2021
While keeping up to date is a good thing, frequent updates create a lot of noise and can be annoying. Perhaps we can configure it to once a week, or once a month?
We can take larger period between dependabot checks because we already run
cargo denyin CI, so any urgent issues will be noticed quickly, where we manually update.https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#scheduleinterval
The text was updated successfully, but these errors were encountered: