Skip to content

🌱 institute 2wk dependency cooldown policy #2363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 1, 2025
Merged

🌱 institute 2wk dependency cooldown policy #2363

merged 1 commit into from
Dec 1, 2025

Conversation

@grokspawn
Copy link
Contributor

@grokspawn grokspawn commented Nov 26, 2025
edited
Loading

Description

Sets a policy of 14 days for all non-securty dependencies, which feels like a reasonable default for discovery of any related supply-chain attacks/mitigation.

Ref: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#setting-up-a-cooldown-period-for-dependency-updates

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@grokspawn
institute 2wk dependency cooldown policy
bb77bba 
Signed-off-by: grokspawn <jordan@nimblewidget.com>
@grokspawn grokspawn requested a review from a team as a code owner November 26, 2025 22:18
Copilot AI review requested due to automatic review settings November 26, 2025 22:18
@netlify
Copy link

netlify bot commented Nov 26, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit bb77bba
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/69277cd3a63aff000740c0ca
😎 Deploy Preview https://deploy-preview-2363--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot finished reviewing on behalf of grokspawn November 26, 2025 22:20
Copilot AI reviewed Nov 26, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to introduce a 14-day cooldown policy for Dependabot dependency updates across all package ecosystems (GitHub Actions, Go modules, and pip) to provide a buffer period for detecting supply-chain attacks. However, the cooldown configuration field used is not a valid Dependabot configuration option and will be ignored by Dependabot, meaning the intended functionality will not work.

Key Changes:

  • Added cooldown.default-days: 14 configuration to three package ecosystem entries in Dependabot configuration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

rashmigottipati
rashmigottipati approved these changes Nov 27, 2025
View reviewed changes
Copy link
Member

@rashmigottipati rashmigottipati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(optional nit): how about adding a brief note to CONTRIBUTING.md doc mentioning the new dependabot cooldown policy?

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 27, 2025
@grokspawn
Copy link
Contributor Author

grokspawn commented Nov 28, 2025

/override experimental-e2e
/approve

@openshift-ci
Copy link

openshift-ci bot commented Nov 28, 2025

@grokspawn: Overrode contexts on behalf of grokspawn: experimental-e2e

In response to this:

/override experimental-e2e
/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

oceanc80
oceanc80 reviewed Nov 28, 2025
View reviewed changes
Copy link
Contributor

@oceanc80 oceanc80 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@jianzhangbjz
Copy link
Member

jianzhangbjz commented Dec 1, 2025

However, the cooldown configuration field used is not a valid Dependabot configuration option and will be ignored by Dependabot, meaning the intended functionality will not work.

Not sure why the Copilot points out this warning. Based on https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#cooldown-, it should work.

@jianzhangbjz
Copy link
Member

jianzhangbjz commented Dec 1, 2025

/retest-required

@jianzhangbjz
Copy link
Member

jianzhangbjz commented Dec 1, 2025

/retest

@jianzhangbjz jianzhangbjz mentioned this pull request Dec 1, 2025
Merged
4 tasks
@tmshort
Copy link
Contributor

tmshort commented Dec 1, 2025

Copilot is saying this won't work? Is it's info out-of-date?

@tmshort
Copy link
Contributor

tmshort commented Dec 1, 2025

/approve

@openshift-ci
Copy link

openshift-ci bot commented Dec 1, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grokspawn, oceanc80, rashmigottipati, tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 1, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit b23e124 into operator-framework:main Dec 1, 2025
38 of 39 checks passed
@codecov
Copy link

codecov bot commented Dec 1, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.53%. Comparing base (045989d) to head (bb77bba).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2363      +/-   ##
==========================================
- Coverage   74.39%   70.53%   -3.87%     
==========================================
  Files          93       93              
  Lines        7300     7300              
==========================================
- Hits         5431     5149     -282     
- Misses       1435     1718     +283     
+ Partials      434      433       -1
Flag Coverage Δ
e2e 44.53% <ø> (ø)
experimental-e2e 14.06% <ø> (-34.67%) ⬇️
unit 58.47% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@grokspawn grokspawn deleted the cooldown-opcon branch December 1, 2025 20:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oceanc80 oceanc80 oceanc80 left review comments

Copilot code review Copilot Copilot left review comments

@rashmigottipati rashmigottipati rashmigottipati approved these changes

@ankitathomas ankitathomas Awaiting requested review from ankitathomas

@pedjak pedjak Awaiting requested review from pedjak

Assignees

@rashmigottipati rashmigottipati

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@grokspawn @jianzhangbjz @tmshort @rashmigottipati @oceanc80