Improve ci.yml and add dependabot.yml #2767
Conversation
| contents: read | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} |
There was a problem hiding this comment.
Is the head_ref the commit sha? If so, won't this be different every time? I'd have thought that maybe the PR number would be what we want
There was a problem hiding this comment.
No:
The head_ref or source branch of the pull request in a workflow run. This property is only available when the event that triggers a workflow run is either pull_request or pull_request_target.
https://docs.github.com/en/actions/learn-github-actions/variables
This is a copy/paste from https://github.com/python/cpython/blob/408e127159e54d87bb3464fd8bd60219dc527fac/.github/workflows/build.yml#L28-L30
|
@sobolevn I've started getting lots of annoying notifications like this. Is there a way to disable these? Thank you
|
|
Hm, this is interesting. Looks like you use "Rebase and merge" strategy, which I don't use. Give me a moment please, I will search what the options are. |
|
I found this: https://stackoverflow.com/a/75403978/4842742 Should we try it? Or should I revert the |
|
I think it may have been as I merged several PRs in quick succession. Maybe we can keep the config for a little while and see how often this happens. |
Here's the full list of changes:
workflow_dispatch:allows you to manually run actions from the admin panel: https://github.com/gleam-lang/gleam/actions/workflows/ci.yaml It is really useful sometimes, in other cases it just does nothingpermissions:sets stricter security rules for this workflow. It should not be able to do anything. Upload / download of artifacts will continue to work: Add details on authentication / permissions used during upload actions/upload-artifact#197permissions:can be set on individual jobs as well, if needed laterconcurrency:cancels previous jobs, when new commits are pushed to the CI. It helps to save extra resources and not to continue meaningless workworkflow.ostorunner.os, because the first is not really about the runner os, it is just the label we usenode-version:is updated, because16is reaching its EOL, see https://nodejs.org/en/about/previous-releases18is still good 👍dependabot.ymlwhich is a nice tool to update deps, embeded into GitHub itself. It should not be very noisy and can help doing what I'm doing now :)