Add dependabot for the Go ecosystem #30
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
magnusbaeck
requested changes
Oct 16, 2022
There was a problem hiding this comment.
Change LGTM, but the commit author should be your firstname.lastname work email since you're contributing this as an employee.
Also, nit, if you adjust the PR description to reference the issue using https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue the issue will automatically be closed and marked as fixed when the PR is merged.
JonasAlfredsson
force-pushed
the
master
branch
from
6e72c5c
to
c0dedde
Compare
|
Something like that instead? |
JonasAlfredsson
force-pushed
the
master
branch
from
c0dedde
to
0893c98
Compare
magnusbaeck
approved these changes
Oct 17, 2022
t-persson
approved these changes
Oct 20, 2022
This was referenced Oct 21, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Applicable Issues
This pull request aims to solve issue #26.
Description of the Change
In issue #26 it is mentioned that we should set up dependabot and see if it makes the work of keeping dependencies up to date easier.
This pull requests configures it to scan the go.mod file to see if anything can updated, and if it is appreciated it can also be configured to monitor the dependencies inside the .github/workflows folder.
For now the cadence is set to weekly, with a limit of max 10 simultaneous pull requests open, but this can be tuned later.
Alternate Designs
Dependabot is a GitHub native functionality, so no other designs were really considered.
Benefits
We get notified when there are updates to dependencies used in this repo, and pull requests are automatically created to solve them.
Possible Drawbacks
We may get spammed with a lot of pull requests (unlikely).
Updating dependencies may break stuff, but hopefully the tests will catch anything of that nature.
Sign-off
Jonas Alfredsson - jonas.alfredsson@axis.com
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Signed-off-by: