Add a Dependabot configuration to autoupdate GitHub action versions #38737
Conversation
Signed-off-by: Kurt McKee <contactme@kurtmckee.org>
There was a problem hiding this comment.
Thank you! This looks great according to official GitHub notes.
One minor change request, can we just leave this as weekly? And leave the default Once-a-week timing for Github (Scheduled on Mondays?)
Consideration: We could also make this monthly, I don't think actions change so fast.
|
We would then wait for CI to get green :) |
|
Thanks, @Fenn-CS! I want CI to go green, too. It appears the failures are unrelated to this change, however, and that many recent commits to the default git branch have failed for varying reasons. Would it be an option to re-run the failed CI jobs to see if they clear up on a second run? |
|
You could rerun, but usually I just wait when I know it's unrelated. It would magically become green if it can :) |
|
I'm not able to |
|
CI failure unrelated |
|
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
|
@skjnldsv Not a big deal, so if we are having too many depenabot pr's to review that no one has time to look at, it makes sense to revert. |
|
I just did a double-check of Dependabot's PR submissions and found that Dependabot is responsible for 4% of the PRs submitted to this repo, but those numbers stretch back to 2019, four years before this merged. @skjnldsv It's fine to revert this change, but I wanted to confirm that you're specifically referring to the GitHub actions that this PR introduced? There are additional levers that could be pulled:
Again, it's fine to revert this change, but I can update the settings if that's helpful. |
I am also fine with this. |
The problem here is that we do not use only workflows from the templates. Mostly we use completly different workflows as the templates are for apps but here we have some special cases (all the files_external or object-storage etc). So I think dependabot does not allow groups and we do not want to use Renovate? Then I would go with:
|
|
Dependabot supports batched updates. Here's an example PR from one of my repositories, with all available GitHub actions updates rolled into a single PR. |
good for me too |
Summary
GitHub workflow logs show that some of the actions are running on Node 12, which is deprecated and will be removed soon. [example from a recent run]
This can be addressed by adding a Dependabot configuration for GitHub action versions. Therefore this PR targets a Dependabot configuration for ongoing updates, rather than updating the action versions as a one-off.
I've added sign-off signatures to my git commits. Please let me know if I overlooked anything that needs to be addressed.
Thanks for your work on NextCloud!
TODO
Checklist