Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci(deps): configure dependabot for github-actions #5521

Merged
merged 5 commits into from
Mar 7, 2022
Merged

ci(deps): configure dependabot for github-actions #5521

merged 5 commits into from
Mar 7, 2022

Conversation

davorpa
Copy link
Member

@davorpa davorpa commented Sep 5, 2021
edited

What does this PR do?

  1. Dependabot checks for updates. Dependabot pulls down your dependency files and looks for any outdated or insecure requirements.
  2. Dependabot opens pull requests. If any of your dependencies are out-of-date, Dependabot opens individual pull requests to update each one.
  3. You review and merge. You check that your tests pass, scan the included changelog and release notes, then hit merge with confidence.

So, this PR configures Dependabot to automatize this process for github-actions artifacts used in repository workflows.

As is config provided needes add this labels to github repo/org:

free-programming-books/.github/dependabot.yml

Lines 17 to 22 in 786ae8b

# Specify labels for `gha` pull requests
labels:
- "dependencies"
- "dependencies:github-actions"
- "automation"
commit-message:

Checklist:

  • Read our contributing guidelines
  • Search for duplicates.
  • Provide dependabot.yml config file.
  • Choose labels and add them to repo or if config is centralized, do it in organization.
  • Enable dependabot in repo settings

Followup

  • Check the output of Travis-CI for linter errors!

@davorpa
chore: configure dependabot for github-actions
3431ac4 
Needs add this labels to github repo/org:
- dependencies
- github-actions
@davorpa davorpa marked this pull request as ready for review September 5, 2021 11:01
@eshellman
Copy link
Collaborator

Would appreciate review from someone familiar with this.

@davorpa
Copy link
Member Author

davorpa commented Sep 5, 2021
edited

I'll know is a critical file of repo configuration, so I'll provide more info...

Dependabot aims to solve/fix security issues (something as is kwown as CVE - Common Vulnerabilities and Exposures) making automatic pull request as way of recomendations. At those PR, an entire context with breaking changes, release/changelog history compatibility and so on will be provided as description. In neither moment it commits nothing without supervision.

▶️ A guide reference of how to activate or change proposed configuration can be started here:

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates

▶️ On activate before merge this, a non parametrized file is suggested to commit, and be sure that conficts will appear.

▶️ I avoid to set assignees / reviewers parameters due to I see is a feature not used in PR process of this repo. Also schedule could be changed (now is at Central Europe on half day of Saturdays, perfect to handle also America timezone), or labels...

Let me know what is expected, and I'll change it. 😉

▶️ About all config parameters can be used in dependabot.yml:

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates

▶️ This below list there are the dependencies that will be monitorized in both workflows, fpb-lint and url-awesomebot, we have:

  • actions/checkout
  • actions/setup-node
  • trilom/file-changes-action
  • actions/upload-artifact

I hope this helps to get in context 🤗

@davorpa davorpa changed the title chore: configure dependabot for github-actions config(ci): configure dependabot for github-actions Sep 15, 2021
@davorpa davorpa changed the title config(ci): configure dependabot for github-actions ci(deps): configure dependabot for github-actions Sep 17, 2021
@davorpa
Copy link
Member Author

davorpa commented Sep 26, 2021

Today dependabot advice me about an action update

Here the example: davorpa/testing-github-actions#1

@davorpa
Follow conventional-commits message
786ae8b 
Also labels are now more adecuated, based on I can se in other repos
@davorpa davorpa added 👥 discussion This Repo is guided by its community! Let's talk! New Feature New feature / enhancement / translation... help wanted Needs help solving a blocked / stucked item and removed 👥 discussion This Repo is guided by its community! Let's talk! labels Sep 28, 2021
@davorpa davorpa mentioned this pull request Oct 12, 2021
Closed
@davorpa davorpa self-assigned this Nov 2, 2021
@davorpa davorpa added the 👀 Needs Review Is this really a good resource? Reviews requested. label Nov 6, 2021
@davorpa davorpa mentioned this pull request Jan 29, 2022
Merged
1 task
@davorpa
Copy link
Member Author

davorpa commented Feb 27, 2022
edited

Today again another notification about github-actions comes into my inbox.

It cheat me that setup-node action should be upgraded.

davorpa/testing-github-actions#3

@eshellman
Copy link
Collaborator

Question: on other repos I have, there's a bot that warns about security issues, but the alert and PRs are only visible to repo owner. Is that true for dependabot?

@davorpa
Copy link
Member Author

davorpa commented Feb 28, 2022
edited

Question: on other repos I have, there's a bot that warns about security issues, but the alert and PRs are only visible to repo owner. Is that true for dependabot?

PRs are always public. Security alerts don't.

Moreover, I don't know if bot only response to reply commands (e.g. @dependabot squash and merge) if you are a mantainer. I'd have to check it. Documentation don't tell us too much about.

@EbookFoundation/reviewers Could someone try with davorpa/testing-github-actions#2 that is still open?

CleanMachine1
CleanMachine1 reviewed Feb 28, 2022
View reviewed changes
Copy link
Member

@CleanMachine1 CleanMachine1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a small nitpick

.github/dependabot.yml Outdated Show resolved Hide resolved
@davorpa @CleanMachine1
Update .github/dependabot.yml
c7a1249 
Co-authored-by: CleanMachine1 <78213164+CleanMachine1@users.noreply.github.com>
@LuigiImVector
Copy link
Member

Could someone try with davorpa/testing-github-actions#2 that is still open?

Only who have the permissions can: davorpa/testing-github-actions#2 (comment)

@davorpa
Copy link
Member Author

davorpa commented Mar 5, 2022

Only who have the permissions can: davorpa/testing-github-actions#2 (comment)

Yep, I'll see it. thanks, Luigi.

Then I think it's safe enable this feature since is like a normal PR but with a bot commands and compatibility info as extra.

@davorpa davorpa added the 🤖 automation Automated tasks done by workflows or bots label Mar 5, 2022
@eshellman eshellman merged commit 1cfd2b3 into EbookFoundation:main Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CleanMachine1 CleanMachine1 CleanMachine1 left review comments

@borgified borgified Awaiting requested review from borgified

Assignees

@davorpa davorpa

Labels
🤖 automation Automated tasks done by workflows or bots 👥 discussion This Repo is guided by its community! Let's talk! 👀 Needs Review Is this really a good resource? Reviews requested. help wanted Needs help solving a blocked / stucked item New Feature New feature / enhancement / translation...
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@davorpa @eshellman @LuigiImVector @CleanMachine1