Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: configure the labels for dependabot PRs #1407

Merged
merged 1 commit into from
Oct 3, 2024
Merged

ci: configure the labels for dependabot PRs #1407

merged 1 commit into from
Oct 3, 2024

Conversation

tonyandrewmeyer
Copy link
Contributor

For GitHub actions dependabot PRs: only use the dependencies label, rather than both that and github_actions.

For pip (Python) dependabot PRs: we only have security dependabot PRs enabled, so add the same label restriction (avoiding a python label) but this requires adding a section to configure dependabot, and then essentially disabling most of it by setting the maximum PRs to 0 (security PRs will still be opened).

@tonyandrewmeyer tonyandrewmeyer mentioned this pull request Oct 2, 2024
Open
benhoyt
benhoyt approved these changes Oct 2, 2024
View reviewed changes
Copy link
Collaborator

@benhoyt benhoyt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@benhoyt benhoyt removed the request for review from IronCore864 October 2, 2024 21:46
@james-garner-canonical
Copy link
Contributor

I know you said it should be straightforward, but I'm a little confused -- good thing you didn't request a review from me ;)

I do want to ask though -- is this changing the schedule for python security dependency updates from monthly to daily? Knowing earlier about security updates does seem like a good thing.

It also seems odd that just changing the labels requires adding a new package-ecosystem section. This is probably just my ignorance about dependabot.

@tonyandrewmeyer
Copy link
Contributor Author

I do want to ask though -- is this changing the schedule for python security dependency updates from monthly to daily? Knowing earlier about security updates does seem like a good thing.

No. Dependabot security updates are mostly separate from regular dependabot. They're mostly configured elsewhere and have a schedule managed by GitHub that can't be adjusted.

I'm not certain, but I think this slightly messy situation exists because the security updates system existed in GitHub before they acquired dependabot so it's two independently built systems that have been mushed together.

It also seems odd that just changing the labels requires adding a new package-ecosystem section. This is probably just my ignorance about dependabot.

It's because the security updates can't be configured to do different things with labels, but do inherit what's in the 'regular' dependabot config, including labels. The limit on PRs does not impact security, so it's how you have the config for the 'regular' updates so the joint options are picked up without actually turning the 'regular' updates on. I believe the docs explicitly recommend this somewhere but couldn't find it with a quick search.

@james-garner-canonical
Copy link
Contributor

Thanks for the explanation, @tonyandrewmeyer, super helpful! I guess with security updates being managed separately from the dependabot schedule, and open-pull-requests-limit: 0, schedule: interval: "daily" has no true effect here, but is needed since it's a required field.

@tonyandrewmeyer
Copy link
Contributor Author

I guess with security updates being managed separately from the dependabot schedule, and open-pull-requests-limit: 0, schedule: interval: "daily" has no true effect here, but is needed since it's a required field.

Yes, exactly.

@tonyandrewmeyer tonyandrewmeyer merged commit df9afbe into canonical:main Oct 3, 2024
30 checks passed
@tonyandrewmeyer tonyandrewmeyer deleted the minimal-dependabot-labels branch October 3, 2024 01:19
tonyandrewmeyer added a commit to tonyandrewmeyer/operator that referenced this pull request Oct 4, 2024
@tonyandrewmeyer
ci: configure the labels for dependabot PRs (canonical#1407)
75402e9 
For GitHub actions dependabot PRs: only use the `dependencies` label,
rather than both that and `github_actions`.

For pip (Python) dependabot PRs: we only have security dependabot PRs
enabled, so add the same label restriction (avoiding a `python` label)
but this requires adding a section to configure dependabot, and then
essentially disabling most of it by setting the maximum PRs to 0
(security PRs will still be opened).
tonyandrewmeyer added a commit to tonyandrewmeyer/operator that referenced this pull request Oct 9, 2024
@tonyandrewmeyer
ci: configure the labels for dependabot PRs (canonical#1407)
5c51220 
For GitHub actions dependabot PRs: only use the `dependencies` label,
rather than both that and `github_actions`.

For pip (Python) dependabot PRs: we only have security dependabot PRs
enabled, so add the same label restriction (avoiding a `python` label)
but this requires adding a section to configure dependabot, and then
essentially disabling most of it by setting the maximum PRs to 0
(security PRs will still be opened).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benhoyt benhoyt benhoyt approved these changes

@dimaqq dimaqq dimaqq approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tonyandrewmeyer @james-garner-canonical @dimaqq @benhoyt