-
Notifications
You must be signed in to change notification settings - Fork 981
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(dependabot): Add dependabot to check for vulnerabilies and updat… #4035
Conversation
.github/dependabot.yml
Outdated
schedule: | ||
interval: daily | ||
|
||
- package-ecosystem: gomod |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's group all directories for each package ecosystem together.
See https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories for more details.
okay, well do you prefer daily checks, or should I make it weekly? |
Signed-off-by: BLANKatGITHUB <131886247+BLANKatGITHUB@users.noreply.github.com>
45639a7
to
8222987
Compare
Weekly is enough, thanks! 🙏🏼 |
well I made adjustments , it will check for latest versions of dependencies , you will have to change the version of languages manually though for python and go . Dependabot makes pr for dependencies not language . |
Thanks! |
@BLANKatGITHUB dependabot start working but it is a bit noisy :) I saw it is possible to group updates into a single update PR using groups: do you mind improving the file so that it will group the updates under a single |
I will try. |
Also, worth limiting these updates to (security) patches only if possible. We do not always want to update to latest due to the distribution limitations. |
umm I dont understand? You want depandabot to create only security update prs? |
@BLANKatGITHUB please look at this PR for example: it was opened with version that is not even present on distributions that we run on (ubuntu 20.04) see here: if we limit updates to patch updates only, hopefully this won't happen. |
So basically only security updates right? |
yes, if possible |
This will automatically scan for updates in dependencies and create pull request to merge them.
/contrib/charts/dragonfly
directory./tests/dragonfly
directory./tools/replay
directory./tools
directory.