Add dependabot for the Go ecosystem #30
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Applicable Issues
This pull request aims to solve issue #26.
Description of the Change
In issue #26 it is mentioned that we should set up dependabot and see if it makes the work of keeping dependencies up to date easier.
This pull requests configures it to scan the go.mod file to see if anything can updated, and if it is appreciated it can also be configured to monitor the dependencies inside the .github/workflows folder.
For now the cadence is set to weekly, with a limit of max 10 simultaneous pull requests open, but this can be tuned later.
Alternate Designs
Dependabot is a GitHub native functionality, so no other designs were really considered.
Benefits
We get notified when there are updates to dependencies used in this repo, and pull requests are automatically created to solve them.
Possible Drawbacks
We may get spammed with a lot of pull requests (unlikely).
Updating dependencies may break stuff, but hopefully the tests will catch anything of that nature.
Sign-off
Jonas Alfredsson - jonas.alfredsson@axis.com
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Signed-off-by: