Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(dependabot): ignore minor and patch github-actions updates #1224

Merged
merged 1 commit into from Nov 17, 2021
Merged

build(dependabot): ignore minor and patch github-actions updates #1224

merged 1 commit into from Nov 17, 2021

Conversation

@Fdawgs
Copy link
Contributor

@Fdawgs Fdawgs commented Nov 17, 2021

GitHub introduced the ability to ignore specific updates back in May.
This PR should stop Dependabot flooding PRs with every minor and patch update of GitHub's own actions every day.

Happy to make change for rest of Pino repos if wanted.

Copy link
Member

@mcollina mcollina left a comment

lgtm

@mcollina
Copy link
Member

@mcollina mcollina commented Nov 17, 2021

amazing work!

@mcollina mcollina merged commit b37a947 into pinojs:master Nov 17, 2021
12 checks passed
@Fdawgs Fdawgs deleted the build/dependabot branch Nov 17, 2021
@mcollina
Copy link
Member

@mcollina mcollina commented Nov 17, 2021

Go ahead and roll it out throughout the org.

@simoneb
Copy link
Contributor

@simoneb simoneb commented Nov 17, 2021

Just curious, apart from reducing the noise, why would you want to avoid getting any updates other than major?

@jsumners
Copy link
Member

@jsumners jsumners commented Nov 17, 2021

Just curious, apart from reducing the noise, why would you want to avoid getting any updates other than major?

We don't "avoid getting any updates". We avoid getting constant bumps to configuration files for explicit version numbers. This change says "I don't care what version of the v2 line of checkout you use, just use the latest v2".

@Fdawgs
Copy link
Contributor Author

@Fdawgs Fdawgs commented Nov 17, 2021

Just curious, apart from reducing the noise, why would you want to avoid getting any updates other than major?

GitHub's own actions follow this tag style for releases, so specifying actions/setup-node@v2 will get the latest v2.x.x of that action.

@simoneb
Copy link
Contributor

@simoneb simoneb commented Nov 17, 2021

Ah interesting, I didn't know. From what I understand it isn't generally true that using v2 means that you're getting whatever is the latest v2, it is true only as long as the publisher of the action moves the v2 tag to refer to whatever is the latest. This is something that GitHub is doing with their own actions it seems, but I'm not sure how widespread a practice this is.

@jsumners
Copy link
Member

@jsumners jsumners commented Nov 17, 2021

Very true. In my org, we use these vX tags for GitHub authored actions. For others, we pin to the full git SHA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants