forked from github/dependabot-action
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[pull] main from dependabot:main #3
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bump dockerode (built on Linux)
pull
bot
added
⤵️ pull
and removed
🔍 Ready for Review
Pull Request is not reviewed yet
labels
Feb 2, 2022
Resolve vulnerability alerts with npm audit fix --force
- Use setup-node with .nvmrc in all workflows - Prefer to use checkout with an explicit ref in all workflows - Minor legibility pass on step names/spacing
Consistency and clarity pass on our workflows
We pull in ssh2 via dockerode: dockerode ↳ docker-modem ↳ ssh2 ↳ cpu-features Both it and `cpu-features` compile _optional_ native extensions using OpenSSH and cpu-features (https://github.com/google/cpu_features) which result in node-gyp generating two `.node` executables for these bindings We have found that these bindings are very sensitive to the build env which means that developer laptops, Actions and Codespaces result in a diff in the `.node` files, something we seek to prevent in PRs in order to detect cases where code changes are committed without actually being applied to the `dist/` folder. Since we do not actually SSH into any containers in our implementation, let's just ignore these files in our distributed code rather than make our build more convoluted/less portable.
Ensure the build check fails if there are new untracked files
As a preamble to pinning the image versions we use this introduces `npm run fetch-images` as a way to pre-pull the images defined in docker_tags.ts which we will set to specific SHAs in future versions. This ensures CI and developers pull the images before attempting to run the code to avoid any surprise breakages. It also makes the presence of a GITHUB_TOKEN envvar a validation check in ImageService.pull to avoid confusing docker errors if it isn't present. Finally, it avoids passing any auth credentials to non-GitHub hosts when we run our tests Co-Authored by: Philip Harrison <philip@mailharrison.com>
Use the ImageService to fetch dependencies in development and CI
v1.0.0 release notes
Upgrade to Node 16
v2.0.0 Release
Bumps [ts-jest](https://github.com/kulshekhar/ts-jest) from 27.0.7 to 27.1.3. - [Release notes](https://github.com/kulshekhar/ts-jest/releases) - [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md) - [Commits](kulshekhar/ts-jest@v27.0.7...v27.1.3) --- updated-dependencies: - dependency-name: ts-jest dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…ebhooks-types-6.3.6 Bump @octokit/webhooks-types from 5.4.0 to 6.3.6
Bumps [ts-node](https://github.com/TypeStrong/ts-node) from 10.7.0 to 10.9.1. - [Release notes](https://github.com/TypeStrong/ts-node/releases) - [Commits](TypeStrong/ts-node@v10.7.0...v10.9.1) --- updated-dependencies: - dependency-name: ts-node dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
…0.9.1 Bump ts-node from 10.7.0 to 10.9.1
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.31.1 to 0.34.0. - [Release notes](https://github.com/vercel/ncc/releases) - [Commits](vercel/ncc@0.31.1...0.34.0) --- updated-dependencies: - dependency-name: "@vercel/ncc" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
This isn't being done via automation for dev dependencies, which is breaking the build.
We've had several builds fail because the `dist/` directory has changes in it after it builds. I don't know the history of excluding dev dependencies from this check, but it seems to be wrong.
Build the `dist/` directory for dev depenencies
Bumps [npm](https://github.com/npm/cli) from 8.13.1 to 8.18.0. - [Release notes](https://github.com/npm/cli/releases) - [Changelog](https://github.com/npm/cli/blob/latest/CHANGELOG.md) - [Commits](npm/cli@v8.13.1...v8.18.0) --- updated-dependencies: - dependency-name: npm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bump npm from 8.13.1 to 8.18.0
…c-0.34.0 Bump @vercel/ncc from 0.31.1 to 0.34.0
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.3.5 to 4.8.2. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v4.3.5...v4.8.2) --- updated-dependencies: - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Typescript started handling `error: unknown` in v4.0. It hadn't been enforced strictly until now.
…t-4.8.2 Bump typescript from 4.3.5 to 4.8.2
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 1.3.1 to 1.3.3. - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v1.3.1...v1.3.3) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…bot/fetch-metadata-1.3.3 Bump dependabot/fetch-metadata from 1.3.1 to 1.3.3
*Note* We needed to add the `User: 'root'` declaration to have this run as it did previously. The updater image no longer runs updates as root, but as `dependabot`.
Point to new Updater image URL
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.8.2 to 4.8.4. - [Release notes](https://github.com/Microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v4.8.2...v4.8.4) --- updated-dependencies: - dependency-name: typescript dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…t-4.8.4 Bump typescript from 4.8.2 to 4.8.4
Bumps github/dependabot-update-job-proxy/dependabot-update-job-proxy from v2.0.20220822132059 to v2.0.20220930205121. --- updated-dependencies: - dependency-name: github/dependabot-update-job-proxy/dependabot-update-job-proxy dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…ependabot-update-job-proxy/dependabot-update-job-proxy-v2.0.20220930205121 Bump github/dependabot-update-job-proxy/dependabot-update-job-proxy from v2.0.20220822132059 to v2.0.20220930205121 in /docker
Bumps [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) from 1.3.3 to 1.3.4. - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@v1.3.3...v1.3.4) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
…bot/fetch-metadata-1.3.4 Bump dependabot/fetch-metadata from 1.3.3 to 1.3.4
trafico-bot
bot
added
✨ Merged
Pull Request has been merged successfully
and removed
🔍 Ready for Review
Pull Request is not reviewed yet
labels
Oct 3, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )