Description
upstream-images is the only platform-mesh repo where Scorecard reports Dependency-Update-Tool: 0/10 — no Dependabot, Renovate, or equivalent is configured. Combined with its already-low overall score (6.2 — the lowest in the org), this is a quick win.
Steps
- Add
.github/dependabot.yml configured for the package ecosystems present in upstream-images (likely docker for Dockerfiles and github-actions for workflows).
- Optionally: add Renovate instead if the org standardizes on it (check what
helm-charts / account-operator use as a reference — most platform-mesh repos use Dependabot).
- Verify next Scorecard run (weekly) shows
Dependency-Update-Tool: 10/10.
Reference config
Sample .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"Objectives
upstream-images reaches Dependency-Update-Tool: 10/10.- Overall Scorecard score for the repo improves above 7.
Demo Required
None
Demo Steps
No response
Epic: #278
Description
upstream-imagesis the only platform-mesh repo where Scorecard reportsDependency-Update-Tool: 0/10— no Dependabot, Renovate, or equivalent is configured. Combined with its already-low overall score (6.2 — the lowest in the org), this is a quick win.Steps
.github/dependabot.ymlconfigured for the package ecosystems present inupstream-images(likelydockerfor Dockerfiles andgithub-actionsfor workflows).helm-charts/account-operatoruse as a reference — most platform-mesh repos use Dependabot).Dependency-Update-Tool: 10/10.Reference config
Sample
.github/dependabot.yml:Objectives
upstream-imagesreachesDependency-Update-Tool: 10/10.Demo Required
None
Demo Steps
No response
Epic: #278