From 59541332fa4e4d101ac87ef8e60ee4448e946d9c Mon Sep 17 00:00:00 2001
From: Anton Gilgur <agilgur5@gmail.com>
Date: Mon, 31 Aug 2020 11:49:19 -0400
Subject: [PATCH] env/deps: remove greenkeeper.json, configure dependabot.yml
 (#846)

- Greenkeeper has shut down, Snyk has been incredibly annoying and can't
  be configured in the codebase (installed by Jared and could only be
  configured by Jared), so use native Dependabot now
  - GitHub acquired Dependabot a little over a year ago and it is what
    powers GitHub vulnerability updates

- set-up sensible defaults with YAML anchor/alias
  - to only make PRs weekly, not spam daily
  - to only make PRs for deps, not devDeps
  - to only increase version when necessary, not for every patch and
    minor bump when a dep isn't pinned anyway
  - to use "deps:" prefix similarly to what I use

- set-up Dependabot to ignore /website entirely, for dep upgrades and
  vulnerabilities, as it is not a published package and doesn't really
  have an attack surface area
  - should only be updated as needed, not whenever a dep is upgraded

- temporarily ignore "/" as well because it's currently being updated so
  don't want duplication spam
  - but leave security PRs on, only dep upgrades off
---
 .github/dependabot.yml | 33 +++++++++++++++++++++++++++++++++
 greenkeeper.json       | 10 ----------
 2 files changed, 33 insertions(+), 10 deletions(-)
 create mode 100644 .github/dependabot.yml
 delete mode 100644 greenkeeper.json

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..4ed60c768
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,33 @@
+version: 2
+
+# default configuration
+defaults: &defaults
+  package-ecosystem: npm
+  directory: '/'
+  schedule:
+    interval: weekly # don't spam daily
+  # only increase version when required, don't bump every patch or minor
+  versioning-strategy: increase-if-necessary
+  allow:
+    # only upgrade prod deps (not devDeps)
+    - dependency-name: '*'
+      dependency-type: production
+  commit-message:
+    prefix: 'deps:' # prefix commit with deps: for consistency
+
+updates:
+  # configuration for /
+  - <<: *defaults
+    # temporarily disable dep upgrade PRs for / as they're being updated
+    open-pull-requests-limit: 0
+
+  # configuration for /website
+  - <<: *defaults
+    directory: /website
+    # /website is not a published package and doesn't really have an attack
+    # surface area, should only be updated as needed, not as soon as deps change
+    ignore:
+      # no security PRs for /website
+      - dependency-name: '*'
+    # disable dep upgrade PRs for /website
+    open-pull-requests-limit: 0
diff --git a/greenkeeper.json b/greenkeeper.json
deleted file mode 100644
index c2c0e7059..000000000
--- a/greenkeeper.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-  "groups": {
-    "default": {
-      "packages": [
-        "package.json",
-        "templates/react/example/package.json"
-      ]
-    }
-  }
-}