Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependabot.yaml for security updates #301

Closed
wants to merge 2 commits into from
Closed

Update dependabot.yaml for security updates #301

wants to merge 2 commits into from

Conversation

jsafrane
Copy link
Contributor

@jsafrane jsafrane commented Jun 14, 2023
edited
Loading

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
Testing if dependabot can create security pull request for release-2.6, 2.7 and 2.8 branches.

I am trying to cheat with a separate updates entry per branch.

Most likely this will not work, dependabot cannot bump only security-relevan dependencies in older branches, see dependabot/dependabot-core#2767 (comment)

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 14, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jun 14, 2023
@jsafrane
Update dependabot.yaml for security updates
7d199b7 
Testing if dependabot can create security pull request for release-2.6, 2.7 and 2.8 branches.

I am trying to cheat with a separate `updates` entry per branch.

Most likely dependabot cannot bump only security-relevan dependencies in older branches, see  dependabot/dependabot-core#2767 (comment)
xing-yang
xing-yang reviewed Jun 14, 2023
View reviewed changes
.github/dependabot.yaml Outdated
- "release-note-none"
- "ok-to-test"
open-pull-requests-limit: 0
target-branch: "release-2.6"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment that these target-branches should be examined and updated after we cut a release following a K8s release to make sure only supported branches have this bot?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I polished it a bit and added a comment.

@humblec
Copy link
Contributor

humblec commented Jun 14, 2023

Hopefully this works (dependabot/dependabot-core#2511 (comment)) , also its better if we got support for wildcard or an array in target branch conf (dependabot/dependabot-core#2511)

@jsafrane
Add comment about older version.
c162b92 
And polish the file.
mauriciopoppe
mauriciopoppe reviewed Jun 14, 2023
View reviewed changes
.github/dependabot.yaml
@@ -18,3 +19,40 @@ updates:
- "release-note-none"
- "ok-to-test"
open-pull-requests-limit: 10

# The list below needs to be maintained manually with every branch we support.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: group package-ecosystem changes in one block i.e. before the github-actions block or moving the first one here
nit: squash commits

cc @dzjiang91, if the PR gets created for a release branch I think that we could do the diff with the one created for master to see if there are changes i.e. to see if cherrypicking the change on master to the release branches is the same as what the bot creates.

@jsafrane
Copy link
Contributor Author

I opened this PR using github editor and it opened a branch in kubernetes-csi/node-driver-registrar, not in my fork. And I can't squash commits there - Kubernetes repos have protection against force push.

I am closing this PR, I'll reopen another one from my fork.

@jsafrane jsafrane closed this Jun 15, 2023
@jsafrane
Copy link
Contributor Author

jsafrane commented Jun 15, 2023
edited
Loading

And I can't even delete the branch, sorry! I used my admin superpower, disabled branch protection on jsafrane-patch-1 branch and deleted it.

@jsafrane jsafrane mentioned this pull request Jun 15, 2023
Merged
@jsafrane
Copy link
Contributor Author

Opened #302

@jsafrane jsafrane deleted the jsafrane-patch-1 branch June 15, 2023 08:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mauriciopoppe mauriciopoppe mauriciopoppe left review comments

@xing-yang xing-yang xing-yang left review comments

@j-griffith j-griffith Awaiting requested review from j-griffith

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jsafrane @k8s-ci-robot @humblec @xing-yang @mauriciopoppe