Group Dependabot PRs and remove merge-dependabot
#3990
Conversation
This change adds grouping to all dependabot configurations to limit the number of open PRs to one. It also removes the `merge-dependabot` workflow, which is no longer useful in case of grouped upgrades.
vy
left a comment
vy
left a comment
There was a problem hiding this comment.
This effectively means dependency updates will not contain a changelog entry anymore. I'm reluctant to accept this.
I thought we agreed to "disable dependabot" (i.e., delete dependabot.yaml) and restore it once the CI workflow is fixed. Have I misunderstood you?
|
I prefer to keep Dependabot alive as a reminder. Having a partial Dependabot PR is better than having no PR at all. Until we solve the blocker for Dependabot automation, we can always complete those PRs ourselves or I can share a short Python script to generate the entries. |
I'm not very keen on this idea, since it will take a single click for a maintainer to approve such a PR, and effectively lose the trail of updates, which are necessary to generate changelog entry files.
Can you put that in a Groovy script that gets executed in a dedicated |
vy
left a comment
vy
left a comment
There was a problem hiding this comment.
I will implement the logging-parent script myself – you can proceed.
This change restores a valid Dependabot configuration that was broken in #3990 (see the failing GHA run: [57824321555](https://github.com/apache/logging-log4j2/runs/57824321555)). Because GitHub does not validate Dependabot configuration files before merge, the fix is based **entirely** on the documented format and examples in the [Dependabot options reference](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#exclude-paths-). **Note:** Dependabot appears to interpret the `exclude-paths` key differently from `directories`; unlike `directories`, `exclude-paths` does **not** require a leading slash.
This change restores a valid Dependabot configuration that was broken in #3990 (see the failing GHA run: [57824321555](https://github.com/apache/logging-log4j2/runs/57824321555)). Because GitHub does not validate Dependabot configuration files before merge, the fix is based **entirely** on the documented format and examples in the [Dependabot options reference](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#exclude-paths-). **Note:** Dependabot appears to interpret the `exclude-paths` key differently from `directories`; unlike `directories`, `exclude-paths` does **not** require a leading slash.
I’m concerned that, for security reasons, we cannot rely on a Groovy script to generate the changelog entries. Regardless of whether we split the workflow into two steps (which would indeed make it easier to review), changelog generation effectively consists of two distinct phases:
For this reason, using a Groovy script in the privileged part of the workflow is not something I would be comfortable with. |
2 participants
This change adds grouping to all dependabot configurations to limit the number of open PRs to one.
It also removes the
merge-dependabotworkflow, which is no longer useful in case of grouped upgrades.