Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

github: add dependabot configuration file #1427

Merged
merged 1 commit into from Dec 7, 2021

Conversation

umarcor
Copy link
Contributor

@umarcor umarcor commented Jun 29, 2021

Close #907

Dependabot was an external service for keeping dependencies up to date. It was bought by GitHub, and it's now a built-in service which integrates with security updates. See https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically.

In April, GitHub announced that the external service (Dependabot Preview) is to be shut down in August: https://github.blog/2021-04-29-goodbye-dependabot-preview-hello-dependabot/.

This PR adds a dependabot configuration file for checking go dependencies weekly.

Note that this features does NOT auto-merge. It will open PRs, but maintainers will need to merge them, or bump the dependencies otherwise.

Refs: #1420 #1406 #1404 #1364

@github-actions github-actions bot added the admin For general admin tasks to be done usualy by maintainers label Jun 29, 2021
@umarcor umarcor mentioned this pull request Jun 29, 2021
@umarcor umarcor mentioned this pull request Jul 11, 2021
@umarcor
Copy link
Contributor Author

umarcor commented Jul 11, 2021

This PR now checks outdated github-actions too. Ref #1453.

/cc @mmorel-35

@mmorel-35
Copy link
Contributor

mmorel-35 commented Jul 11, 2021

Out of curiosity, why extending the limit of pr to 99 ?

@umarcor
Copy link
Contributor Author

umarcor commented Jul 11, 2021

Out of curiosity, why extending the limit of pr to 99 ?

By default, dependabot will open a limited number of PRs (can't remember whether it's 4 or 10). Therefore, when more than those need to be updated, you don't get to see the big picture. You keep resolving/merging them but you don't know when will it finish. By setting the limit to a large number, you know it will show all the dependencies that can be updated today (or this week, or this month). Then you can see potential conflicts and decide the order you want to follow for merging.

It is arguable whether having a low limit is relevant in this project, since the number of dependencies of cobra is rather low. However, I believe it's better to have an explicit value, rather than rely on GitHub's default. By the way, what I explained above might have changed in the last months, since GitHub first bought the service and then made it built-in.

@umarcor
Copy link
Contributor Author

umarcor commented Jul 11, 2021

It seems the default number is five at the moment:

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates#frequency-of-dependabot-pull-requests

To keep pull requests manageable and easy to review, Dependabot raises a maximum of five pull requests to start bringing dependencies up to the latest version. If you merge some of these first pull requests before the next scheduled update, remaining pull requests will be opened on the next update, up to that maximum. You can change the maximum number of open pull requests by setting the open-pull-requests-limit configuration option.

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#open-pull-requests-limit

By default, Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests, new requests are blocked until you merge or close some of the open requests, after which new pull requests can be opened on subsequent updates. Use open-pull-requests-limit to change this limit. This also provides a simple way to temporarily disable version updates for a package manager.

This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.

@mmorel-35
Copy link
Contributor

mmorel-35 commented Jul 11, 2021

Thank you for the explanation. I can see why you took that decision.

@umarcor
Copy link
Contributor Author

umarcor commented Aug 4, 2021

ping @jpmcb

macoMarv86 added a commit to macoMarv86/cobra that referenced this pull request Sep 30, 2021
github-dependabot/-spf13#1427/-configuration file
 Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
umarcor added a commit to umarcor/cobra that referenced this pull request Nov 4, 2021
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
umarcor added a commit to umarcor/cobra that referenced this pull request Nov 5, 2021
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Copy link

@stmcginnis stmcginnis left a comment

Looks good, and the explanation for limits makes sense.

umarcor added a commit to umarcor/cobra that referenced this pull request Nov 15, 2021
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
umarcor added a commit to umarcor/cobra that referenced this pull request Nov 16, 2021
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
umarcor added a commit to umarcor/cobra that referenced this pull request Nov 16, 2021
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
umarcor added a commit to umarcor/cobra that referenced this pull request Nov 25, 2021
Co-Authored-By: Matthieu MOREL <mmorel-35@users.noreply.github.com>
jpmcb
jpmcb approved these changes Dec 7, 2021
@jpmcb jpmcb merged commit d65ba12 into spf13:master Dec 7, 2021
11 checks passed
@jpmcb jpmcb added this to the 1.3.0 milestone Dec 7, 2021
@umarcor umarcor deleted the github-dependabot branch Dec 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
admin For general admin tasks to be done usualy by maintainers
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enable dependabot.com
4 participants