Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create dependabot.yml #2914

Merged
merged 1 commit into from
Jul 6, 2022
Merged

Create dependabot.yml #2914

merged 1 commit into from
Jul 6, 2022

Conversation

3clypse
Copy link
Contributor

@3clypse 3clypse commented May 6, 2022
edited

Purpose

Add dependabot dependency check in order to maintain Go and Docker dependencies up-to-date and security updates on time.

https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#enabling-or-disabling-dependabot-security-updates-for-an-individual-repository

Why

  • A way to keep dependencies updates in single PR's that can be visible to anyone.
  • Security patches could be applied quicker, given the bot will check for updates every day.

+ Info

@3clypse 3clypse marked this pull request as ready for review May 6, 2022 17:04
@gotjosh
Copy link
Member

gotjosh commented Jun 13, 2022

I'm a big fan of dependabot and there seems to be precedent already for it in Prometheus -- I don't think this is something that should come from common (Prometheus has different directives it seems).

So in principle this LGTM.

gotjosh
gotjosh reviewed Jun 13, 2022
View reviewed changes
Copy link
Member

@gotjosh gotjosh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please remove the comments and set the interval of gomod to weekly?

.github/dependabot.yml Outdated
updates:
# Enable version updates for go modules
- package-ecosystem: "gomod"
# Look for Go modules in the `root` directory
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Look for Go modules in the `root` directory

.github/dependabot.yml Outdated
@@ -0,0 +1,17 @@
version: 2
updates:
# Enable version updates for go modules
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Enable version updates for go modules

.github/dependabot.yml Outdated
- package-ecosystem: "gomod"
# Look for Go modules in the `root` directory
directory: "/"
# Check for updates every day (weekdays)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Check for updates every day (weekdays)

.github/dependabot.yml Outdated
directory: "/"
# Check for updates every day (weekdays)
schedule:
interval: "daily"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
interval: "daily"
interval: "weekly"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weekly seems like a better interval

.github/dependabot.yml Outdated
Comment on lines 11 to 10
# Enable version updates for Docker
- package-ecosystem: "docker"
# Look for a `Dockerfile` in the `root` directory
directory: "/"
# Check for updates once a week
schedule:
interval: "weekly"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Enable version updates for Docker
- package-ecosystem: "docker"
# Look for a `Dockerfile` in the `root` directory
directory: "/"
# Check for updates once a week
schedule:
interval: "weekly"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"

@3clypse
Copy link
Contributor Author

3clypse commented Jun 13, 2022

Can you please remove the comments and set the interval of gomod to weekly?

Done! Thank you for looking at this :)

gotjosh
gotjosh approved these changes Jun 13, 2022
View reviewed changes
Copy link
Member

@gotjosh gotjosh left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@roidelapluie @simonpasquier what do you think?

@gotjosh
Copy link
Member

gotjosh commented Jun 27, 2022

Can you try re-pushing to your branch again to see if the CI triggers? I can't seem to find the CI run of this PR on CircleCI to try and let it run.

Create dependabot.yml
a1dbacb 
Add dependabot dependency check in order to maintain dependencies up-to-date and security updates on time.

Signed-off-by: David Ureba <david.ureba@aiven.io>
@3clypse
Copy link
Contributor Author

3clypse commented Jul 4, 2022

Can you try re-pushing to your branch again to see if the CI triggers? I can't seem to find the CI run of this PR on CircleCI to try and let it run.

I bring the latest changes from prometheus/alertmanager

and re-commited my suggestion change.
Let me know if I can do something else.

Thank you.

@gotjosh gotjosh merged commit 3f6b65c into prometheus:main Jul 6, 2022
@gotjosh
Copy link
Member

gotjosh commented Jul 6, 2022

Thanks!

@3clypse 3clypse deleted the patch-1 branch July 6, 2022 11:50
@hpvd hpvd mentioned this pull request Oct 27, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gotjosh gotjosh gotjosh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@3clypse @gotjosh