Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependabot configuration file #2384

Merged
merged 1 commit into from
Sep 14, 2023

Conversation

jrfnl
Copy link
Member

@jrfnl jrfnl commented Sep 12, 2023

Context: I know some updates are needed to the GHA workflows due to new major releases of action runners. May as well set up Dependabot now to get those updates in (which automatically tests the config).


This commit adds an initial Dependabot configuration to:

  • Submit pull requests for security updates and version updates for GH Action runner dependencies.

At a later point in time, we could consider enabling it for Composer dependencies as well.

The configuration has been set up to:

  • Run weekly (for now).
  • Submit a maximum of 5 pull requests at a time. If additional pull requests are needed, these will subsequently be submitted the next time Dependabot runs after one or more of the open pull requests have been merged.
  • The commit messages for PRs submitted by Dependabot will be prefixed according the unofficial conventions used in this repo up to now.
  • The PRs will automatically be labelled with an appropriate label as already in use in this repo.

Refs:

@jrfnl jrfnl added this to the 3.x Next milestone Sep 12, 2023
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
open-pull-requests-limit: 5

The default value is 5 already.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, except most people don't know that and the default may change without notice.
This makes it explicit and easy to check for people. Happy to remove it if you prefer, but at least you now know my reasoning for including it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already rely on other defaults (like it being on a Monday), so this is no different. Having it also suggests that we're limiting it on purpose (I was going to query why we'd want to do that, really), rather than leaving it to the defaults (more effort to look up).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, what should we do ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm really fine either way. Extra information doesn't hurt I guess

.github/dependabot.yml Show resolved Hide resolved
This commit adds an initial Dependabot configuration to:
* Submit pull requests for security updates and version updates for GH Action runner dependencies.

At a later point in time, we could consider enabling it for Composer dependencies as well.

The configuration has been set up to:
* Run weekly (for now).
* Submit a maximum of 5 pull requests at a time.
    If additional pull requests are needed, these will subsequently be submitted the next time Dependabot runs after one or more of the open pull requests have been merged.
* The commit messages for PRs submitted by Dependabot will be prefixed according the unofficial conventions used in this repo up to now.
* The PRs will automatically be labelled with an appropriate label as already in use in this repo.

Refs:
* https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
* https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy
@jrfnl jrfnl force-pushed the feature/add-dependabot-config-for-ghactions branch from 285018f to dd9b567 Compare September 13, 2023 12:14
@dingo-d dingo-d modified the milestones: 3.0.1, 3.x Next Sep 14, 2023
@GaryJones GaryJones merged commit e02529f into develop Sep 14, 2023
41 checks passed
@GaryJones GaryJones deleted the feature/add-dependabot-config-for-ghactions branch September 14, 2023 13:56
@jrfnl jrfnl modified the milestones: 3.x Next, 3.1.0 Dec 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants