-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make dependabot watch workflow files as well #34
Comments
LGTM as long as it doesn't also upgrade the compiler version: eiffelevents-sdk-go/.github/workflows/build-and-test.yml Lines 21 to 24 in c78dd31
I suppose it only touches the actions themselves. |
If it does something wonky you can actually tune dependabot a bit by just responding to the pull requests it makes. |
Description
In issue #26 dependabot was added for the Go ecosystem, and it appears to have worked well.
It is possible to expand the configuration to also create updates for dependencies defined in the .github/workflows folder, so they are also up to date.
Motivation
With this we will be notified, and a pull request automatically created, every time there is an update to the dependencies.
It will remove the tedious task of manually checking for updates (and performing them), which is great.
Exemplification
After the introduction of #30 dependabot immediately created #31, #32 and #33.
Something similar will probably happen this time around as well.
Benefits
Using the most recent update is probably preferred so that security fixes are added as soon as they are available.
Possible Drawbacks
It could be that updates to dependencies introduce new bugs, and major version bumps may introduce breaking API changes.
However, I think it is better to run into such issues as soon as possible rather than a year down the line when we might have multiple dependencies do major version upgrades.
The text was updated successfully, but these errors were encountered: