-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create dependabot.yml #2914
Create dependabot.yml #2914
Conversation
I'm a big fan of dependabot and there seems to be precedent already for it in Prometheus -- I don't think this is something that should come from common (Prometheus has different directives it seems). So in principle this LGTM. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please remove the comments and set the interval of gomod to weekly?
.github/dependabot.yml
Outdated
updates: | ||
# Enable version updates for go modules | ||
- package-ecosystem: "gomod" | ||
# Look for Go modules in the `root` directory |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Look for Go modules in the `root` directory |
.github/dependabot.yml
Outdated
@@ -0,0 +1,17 @@ | |||
version: 2 | |||
updates: | |||
# Enable version updates for go modules |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Enable version updates for go modules |
.github/dependabot.yml
Outdated
- package-ecosystem: "gomod" | ||
# Look for Go modules in the `root` directory | ||
directory: "/" | ||
# Check for updates every day (weekdays) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Check for updates every day (weekdays) |
.github/dependabot.yml
Outdated
directory: "/" | ||
# Check for updates every day (weekdays) | ||
schedule: | ||
interval: "daily" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interval: "daily" | |
interval: "weekly" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Weekly seems like a better interval
.github/dependabot.yml
Outdated
# Enable version updates for Docker | ||
- package-ecosystem: "docker" | ||
# Look for a `Dockerfile` in the `root` directory | ||
directory: "/" | ||
# Check for updates once a week | ||
schedule: | ||
interval: "weekly" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Enable version updates for Docker | |
- package-ecosystem: "docker" | |
# Look for a `Dockerfile` in the `root` directory | |
directory: "/" | |
# Check for updates once a week | |
schedule: | |
interval: "weekly" | |
- package-ecosystem: "docker" | |
directory: "/" | |
schedule: | |
interval: "weekly" |
Done! Thank you for looking at this :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
@roidelapluie @simonpasquier what do you think?
Can you try re-pushing to your branch again to see if the CI triggers? I can't seem to find the CI run of this PR on CircleCI to try and let it run. |
Add dependabot dependency check in order to maintain dependencies up-to-date and security updates on time. Signed-off-by: David Ureba <david.ureba@aiven.io>
I bring the latest changes from prometheus/alertmanager and re-commited my suggestion change.Let me know if I can do something else. Thank you. |
Thanks! |
Purpose
Add dependabot dependency check in order to maintain Go and Docker dependencies up-to-date and security updates on time.
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#enabling-or-disabling-dependabot-security-updates-for-an-individual-repository
Why
+ Info