Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependabot.yml #3758

Merged
merged 1 commit into from Feb 12, 2024
Merged

Add dependabot.yml #3758

merged 1 commit into from Feb 12, 2024

Conversation

andy5995
Copy link
Contributor

@andy5995 andy5995 commented Feb 9, 2024

This will cause dependabot to open PRs to bump any actions, such as "checkout" when never major versions are released.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file

@elextr
Copy link
Member

elextr commented Feb 10, 2024

when never major versions are released

Are you saying Geany will never get another major version 😉

@b4n @eht16 release specialists, any comment?

@andy5995
Copy link
Contributor Author

when never major versions are released

Are you saying Geany will never get another major version 😉

Hehe, looks like I did bad typing again. ;)

An example is here where it was merged into the curl project on Jan 2.

And then dependabot opened a PR to bump the version of various actions (The PR shows "closed" but that's because the curl project has a different way of merging things; you can see here that it was merged curl/curl@dfe34d2 )

@eht16
Copy link
Member

eht16 commented Feb 10, 2024

Yeah, why not.

Two remarks:

  • why Docker?
  • Automatic updating of the action versions won't work directly as we pinned the actions and their versions in the organization settings. I think this is useful to reduce the risk of getting unwanted actions or code executed in CI.
    So even after merging Dependabot's PRs, a Geany admin still has to do allow that action/version in the settings for security reasons.

@andy5995
Copy link
Contributor Author

K, I removed the docker section.

@andy5995
Add dependabot.yml
a5d9d5c 
This will cause dependabot to open PRs to bump any actions, such as
"checkout" when never major versions are released.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
@eht16 eht16 merged commit eb28f07 into geany:master Feb 12, 2024
4 checks passed
@eht16
Copy link
Member

eht16 commented Feb 12, 2024

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eht16 eht16 eht16 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andy5995 @elextr @eht16