Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add dependabot.yml configuration #4179

Merged
merged 6 commits into from
Oct 12, 2023
Merged

chore: add dependabot.yml configuration #4179

merged 6 commits into from
Oct 12, 2023

Conversation

straker
Copy link
Contributor

@straker straker commented Oct 11, 2023

This PR adds dependabot configuration for automatically updating dependencies for NPM and GitHub Actions. While I was updating the actions for sha pinning, I also updated to not use actions/cache for npm cache and instead use actions/setup-node as is recommended, and updated the actions to run on node 20.

@straker straker requested a review from a team as a code owner October 11, 2023 18:09
dbjorge
dbjorge previously requested changes Oct 11, 2023
View reviewed changes
.github/dependabot.yml Outdated Show resolved Hide resolved
.github/dependabot.yml Outdated Show resolved Hide resolved
.github/dependabot.yml Outdated Show resolved Hide resolved
.github/dependabot.yml Outdated Show resolved Hide resolved
.github/workflows/format.yml Outdated Show resolved Hide resolved
@straker straker mentioned this pull request Oct 11, 2023
Merged
@straker
Copy link
Contributor Author

straker commented Oct 11, 2023

Created #4180 to update or replace all the pins

WilcoFiers
WilcoFiers approved these changes Oct 12, 2023
View reviewed changes
Copy link
Contributor

@WilcoFiers WilcoFiers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Left one suggestions

.github/workflows/format.yml
# Workflows are not allowed to edit workflows. As result, we need to prevent Prettier from formatting them.
- name: Prevent workflows from being formatted
run: echo ".github" >> .prettierignore
- run: npm run fmt
# Prevent the prettierignore change from being committed.
- run: git checkout .prettierignore
- uses: stefanzweifel/git-auto-commit-action@v4
- uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # tag=v5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume you did a security review on these. Is it worth sticking a comment in here to document that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checking in a tag + pinned SHA like this is exactly comparable to checking in a version range + lockfile for an npm dependency - why require comments here but not there?

dbjorge
dbjorge approved these changes Oct 12, 2023
View reviewed changes
Copy link
Contributor

@dbjorge dbjorge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for leaving the comment breadcrumb for #3771

@straker straker merged commit 449feed into develop Oct 12, 2023
18 checks passed
@straker straker deleted the dependabot branch October 12, 2023 14:18
@WilcoFiers WilcoFiers mentioned this pull request Mar 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@WilcoFiers WilcoFiers WilcoFiers approved these changes

@dbjorge dbjorge dbjorge approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@straker @dbjorge @WilcoFiers