-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github: add dependabot configuration file #1427
Conversation
c68c93c
to
b0f2c7b
Compare
b0f2c7b
to
d2266e6
Compare
This PR now checks outdated github-actions too. Ref #1453. /cc @mmorel-35 |
Out of curiosity, why extending the limit of pr to 99 ? |
By default, dependabot will open a limited number of PRs (can't remember whether it's 4 or 10). Therefore, when more than those need to be updated, you don't get to see the big picture. You keep resolving/merging them but you don't know when will it finish. By setting the limit to a large number, you know it will show all the dependencies that can be updated today (or this week, or this month). Then you can see potential conflicts and decide the order you want to follow for merging. It is arguable whether having a low limit is relevant in this project, since the number of dependencies of cobra is rather low. However, I believe it's better to have an explicit value, rather than rely on GitHub's default. By the way, what I explained above might have changed in the last months, since GitHub first bought the service and then made it built-in. |
It seems the default number is five at the moment:
|
Thank you for the explanation. I can see why you took that decision. |
d2266e6
to
9f725d9
Compare
ping @jpmcb |
9f725d9
to
3263893
Compare
3263893
to
5a88a62
Compare
github-dependabot/-spf13#1427/-configuration file Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
5a88a62
to
bcbf70c
Compare
bcbf70c
to
f3d8923
Compare
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, and the explanation for limits makes sense.
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
f3d8923
to
14dbfbb
Compare
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
14dbfbb
to
e4633cc
Compare
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Close #907
Dependabot was an external service for keeping dependencies up to date. It was bought by GitHub, and it's now a built-in service which integrates with security updates. See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically.
In April, GitHub announced that the external service (Dependabot Preview) is to be shut down in August: https://github.blog/2021-04-29-goodbye-dependabot-preview-hello-dependabot/.
This PR adds a dependabot configuration file for checking go dependencies weekly.
Note that this features does NOT auto-merge. It will open PRs, but maintainers will need to merge them, or bump the dependencies otherwise.
Refs: #1420 #1406 #1404 #1364