-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependabot to keep workflow Actions updated #46427
Comments
Does it still open pull requests against all 18.8K forks? 😬 (I know that was one of the other concerns) |
Ah, no, it doesn't. Dependabot is disabled by default on all forks. I even had to go to the settings and enable it on my fork even though I'd just added the dependabot.yml file myself. |
I think that's only until it's merged in upstream; once it is, it's enabled. i.e.; I'm getting pull requests all the time from dependabot on my own forks 😞 And worse; it's creating branches on my fork (without the ability to deny it access to my fork, which in its own can be a security concern if dependabot would ever get compromised (which of course we hope would never happen)). And a quick check on other forks, I see those get them as well;
I think they slightly improved it and don't open PRs if the fork hasn't been updated for some time, but theoretically it could mean dependabot opening pull requests (and creating branches, without consent) on 18k+ forks 😢 |
Sorry for the delay in replying here! So, as of November 2022, dependabot is no longer automatically enabled for new forks. And per the documentation, this also applies to older forks that pull a new dependabot.yml:
You should now also be able to disable this in your fork's settings page: https://github.com/thaJeztah/compose/settings/security_analysis (there should be a "Disable" next to "Dependabot version updates"). |
As an example, I just forked docker/compose myself and this is what I see in my fork's Security Analysis page: Note that it detects the If my previous suggestion to try disabling it in your fork's settings doesn't work (I can't test how things were before the November 2022 change...), you could always delete and recreate your fork... though the feasibility of that option depends on how much custom code is there. |
Description
Dependabot has recently released grouped updates, meaning an entire ecosystem can be updated with a single PR. I'd therefore like to suggest that Moby adopt Dependabot to keep its workflow Actions up-to-date.
I believe this mitigates the concerns raised in #44177 (comment) regarding the large volumes of PRs Dependabot ordinarily generates.
I'll send a PR along with this issue implementing this change.
The text was updated successfully, but these errors were encountered: