Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(dependabot): Add dependabot to check for vulnerabilies and updat… #4035

Merged
merged 3 commits into from
Nov 4, 2024

Conversation

BLANKatGITHUB
Copy link
Contributor

This will automatically scan for updates in dependencies and create pull request to merge them.

  • Added daily update schedule for GitHub Actions workflows in the root directory.
  • Added daily update schedule for Go modules in the /contrib/charts/dragonfly directory.
  • Added daily update schedule for Python packages in the /tests/dragonfly directory.
  • Added daily update schedule for Go modules in the /tools/replay directory.
  • Added daily update schedule for Python packages in the /tools directory.

schedule:
interval: daily

- package-ecosystem: gomod
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BLANKatGITHUB
Copy link
Contributor Author

okay, well do you prefer daily checks, or should I make it weekly?

Signed-off-by: BLANKatGITHUB <131886247+BLANKatGITHUB@users.noreply.github.com>
@romange
Copy link
Collaborator

romange commented Nov 4, 2024

Weekly is enough, thanks! 🙏🏼

@BLANKatGITHUB
Copy link
Contributor Author

well I made adjustments , it will check for latest versions of dependencies , you will have to change the version of languages manually though for python and go . Dependabot makes pr for dependencies not language .

@romange
Copy link
Collaborator

romange commented Nov 4, 2024

Thanks!

@romange romange merged commit fb7ea6c into dragonflydb:main Nov 4, 2024
9 checks passed
@romange
Copy link
Collaborator

romange commented Nov 4, 2024

@BLANKatGITHUB dependabot start working but it is a bit noisy :)

I saw it is possible to group updates into a single update PR using groups:
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#example-2

do you mind improving the file so that it will group the updates under a single dev-dependecies group?

@BLANKatGITHUB
Copy link
Contributor Author

I will try.

@romange
Copy link
Collaborator

romange commented Nov 5, 2024

Also, worth limiting these updates to (security) patches only if possible. We do not always want to update to latest due to the distribution limitations.

@BLANKatGITHUB
Copy link
Contributor Author

umm I dont understand? You want depandabot to create only security update prs?

@romange
Copy link
Collaborator

romange commented Nov 5, 2024

@BLANKatGITHUB please look at this PR for example:
#4061

it was opened with version that is not even present on distributions that we run on (ubuntu 20.04) see here:
https://github.com/dragonflydb/dragonfly/actions/runs/11672206748/job/32500305414

if we limit updates to patch updates only, hopefully this won't happen.

@BLANKatGITHUB
Copy link
Contributor Author

So basically only security updates right?

@romange
Copy link
Collaborator

romange commented Nov 5, 2024

yes, if possible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants