-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Add dependabot configuration #474
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR @twpayne!
5ef64ca
to
475b426
Compare
475b426
to
d02cbee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Should we disable automatic rebasing as well (see cilium/cilium#14826)? Though, in Hubble we don't have long running Jenkins CI jobs which would be affected, but it might lead to fewer surprises compared to dependabot behaviour in cilium/cilium
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM as well! I agree with Tobias that we probably don't need automatic rebase.
FYI: cilium/cilium#14837 will probably make sense to limit the number of open PRs for the Hubble repo as well to avoid merge conflicts between update PRs. |
d02cbee
to
47a4cc4
Compare
Signed-off-by: Tom Payne <tom@isovalent.com>
47a4cc4
to
0b5da07
Compare
OK, PR update to disable rebases and limit the number of open PRs to 1, as proposed by @tklauser. |
Does this mean that dependabot can only open one PR per week? If correct, is there a scenario where it can't keep up with the dependencies update (i.e. there are more than one module update per week)? |
I don't think so. As I read the dependabot config documentation, it will check for updates once a week and then send them one by one. So there could be multiple update PRs in a week but only one open at a time. They will be updating the individual modules to the most recent version at the time of the update check, which could in the worst case be one week old. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tklauser thanks for looking into this. Additionally the bits about security fixes (which was my main concern) having their separate limit is nice:
[about open-pull-requests-limit] This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.
This adds Dependabot for Hubble, like cilium/cilium#14694.