Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Use dependabot #111

Merged
merged 1 commit into from
Jun 14, 2020
Merged

Enhancement: Use dependabot #111

merged 1 commit into from
Jun 14, 2020

Conversation

localheinz
Copy link
Contributor

@localheinz localheinz commented Feb 5, 2020
edited
Loading

This PR

💁‍♂ This probably requires to set up Dependabot and disable Violinist - is this something you would be up for, @Jan0707?

@localheinz localheinz requested a review from Jan0707 February 5, 2020 09:43
@localheinz localheinz closed this Mar 1, 2020
@localheinz localheinz deleted the feature/dependabot branch March 1, 2020 09:32
@localheinz localheinz restored the feature/dependabot branch March 1, 2020 09:33
@localheinz localheinz reopened this Mar 1, 2020
@localheinz localheinz force-pushed the feature/dependabot branch from f7a7d54 to 2004768 Compare March 1, 2020 09:35
@localheinz localheinz force-pushed the feature/dependabot branch from 2004768 to b411eed Compare May 12, 2020 12:09
@Jan0707
Copy link
Owner

Jan0707 commented May 12, 2020

What's the benefit that we see here ?

@localheinz
Copy link
Contributor Author

@Jan0707

Dependabot can be configured to

  • update composer.json as well
  • automatically merge pull requests when the build passes

For reference, see https://dependabot.com/docs/config-file/.

I believe the most compelling argument is that pull requests can be automatically merged.

Apart from that, Dependabot has been acquired by GitHub and is the de-facto standard solution for updating dependencies for a wide range of package managers.

@localheinz
Copy link
Contributor Author

@Jan0707

Violinist currently updates composer.lock only, which is pretty much useless, as we run builds against lowest, locked, and highest versions.

@Jan0707
Copy link
Owner

Jan0707 commented May 12, 2020

I feel this would bind us even more to Github and its eco system. Is that a shared concern? If not then we could go ahead.

@Jan0707
Copy link
Owner

Jan0707 commented May 18, 2020

ping @localheinz
I assume you think this is a worthwhile trade-off ?

@localheinz localheinz force-pushed the feature/dependabot branch from b411eed to bba96b6 Compare June 14, 2020 22:40
@localheinz
Copy link
Contributor Author

localheinz commented Jun 14, 2020
edited
Loading

@Jan0707

With Dependabot moving natively into GitHub, I think that the switch makes a lot of sense.

In addition, the latest version of Dependabot allows updating GitHub Actions as well.

@localheinz localheinz merged commit 458c95a into Jan0707:master Jun 14, 2020
@localheinz localheinz deleted the feature/dependabot branch June 14, 2020 22:42
@violinist-bot violinist-bot mentioned this pull request Jun 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jan0707 Jan0707 Awaiting requested review from Jan0707 Jan0707 is a code owner

Assignees

@Jan0707 Jan0707

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@localheinz @Jan0707