-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependabot where it's convenient? #315
Comments
maybe also for gradle build dependencies and for github action updates? |
I'm strongly voting against Dependabot. We decided to choose our dependencies manually and by purpose we don't use the least versions. So a spamming tools who creates countless of spamming issues or pull requests, which we all auto-close because we don't want to upgrade is non-sense and only bloats tons of shit. |
@Bukama I think one has to differentiate between critical / production code dependencies such as JUnit—where we indeed want hand-crafted updates—and non-critical / test code dependencies like AssertJ. For the latter, I find tools like dependabot very useful for two main reasons:
Plus: it is super easy to have a whitelist or a blacklist. Therefore, there is no spamming unless you fuck up the configuration. 😉 So when it comes to updating non-critical dependencies, what is more comfortable than getting notified via a PR that is (most of the time) ready to be merged? |
Assigned to @nicolaiparlog to judge as founder as two maintainers (@aepfli and me) have no common point of view. |
There already is a PR to add dependabot to convert-junit4-to-junit5. |
@signed thx for the link, I wasn't aware of that one. As pointed out by @Bukama, there is no common POV so far. So I guess we shouldn't merge anything Dependabot-related in any Pioneer repo until we / @nicolaiparlog decided how to proceed. |
As I see it, dependabot comes with a cost and a benefit:
For a project that is as loosely maintained as ours, I consider the cost to be non-negligible. The benefits, otoh, seem somewhat negligible:
|
I was told, that dependabot also updates Gradle and GitHub Actions. They have access to our secrets here on GitHub, so keeping them up-to-date is relevant for us. A teensy bit of research unearthed two nice features:
This convinced me that we can give dependabot a try if we configure it as described above. I vote for monthly PRs, so we can work through all of them at once. |
Since I need to act as a tiebreaker, I'm voting for a dependabot trial. :) |
i am not sure, that this is closed based on dependabot/dependabot-core#2280 :D not gradle kotlin dsl support |
Yeah, currently GHA updates only. 🤷♂️ |
Basically the title. @aepfli mentioned this in Discord and I think it warrants a proper discussion.
The text was updated successfully, but these errors were encountered: