Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
This PR updates the current dependabot config to also upgrade our integration deps periodically. The release process docs have also been updated accordingly
Benefits
The bot will send PRs for the integration dependencies as well. We no longer will get notified about security issues in these deps (though they are not part of the kubeapps code itself).
Possible drawbacks
Please note the integration image is not being created automatically. According to our release process, this image might be updated when releasing a new kubeapps version. Direct consequence: the current code in the main branch won't match the actual code in the image container image.
Alternatives:
A) We just assume the integration image won't match the declared dependencies in the main branch. They eventually sync once we release a new Kubeapps version (albeit not guaranteed according to the current process documentation)
B) We push ourselves to create a new integration image version. It implies:
If B) we will have to update our docs to show these instructions.
A B' is possible, where we send another PR in addition to the dependabot one, but I personally think it will generate more overhead rather than being useful.
Applicable issues
Additional information
Additional idea: what if we build the integration image in CI-runtime? This way it's guaranteed it'll use the latest deps versions.
PS: woah - it was supposed to be a straightforward one-line change indeed...