Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create dependabot.yml file for dependabot to create pull requests #3843

Closed
4 tasks done
Suman2795 opened this issue Jan 19, 2023 · 17 comments
Closed
4 tasks done

Create dependabot.yml file for dependabot to create pull requests #3843

Suman2795 opened this issue Jan 19, 2023 · 17 comments
Assignees
Labels
Complexity: Small Take this type of issues after the successful merge of your second good first issue Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly Feature: Refactor GHA Refactoring GitHub actions to fit latest architectural norms role: back end/devOps Tasks for back-end developers size: 1pt Can be done in 4-6 hours
Milestone

Comments

@Suman2795
Copy link
Member

Suman2795 commented Jan 19, 2023

Overview

GH Dependabot has been enabled to issue alerts for vulnerabilities and security. Therefore we need a configuration file, dependabot.yml, to create pull requests so that we maintain up to date security in our repo.

Action Items

Resources/Instructions

@Suman2795 Suman2795 added role: back end/devOps Tasks for back-end developers Complexity: Small Take this type of issues after the successful merge of your second good first issue labels Jan 19, 2023
@github-actions github-actions bot added the Feature Missing This label means that the issue needs to be linked to a precise feature label. label Jan 19, 2023
@blulady blulady added Feature: Refactor GHA Refactoring GitHub actions to fit latest architectural norms role: dev leads Tasks for technical leads and removed Feature Missing This label means that the issue needs to be linked to a precise feature label. labels Jan 19, 2023
@blulady

This comment was marked as resolved.

@Suman2795

This comment was marked as outdated.

@github-actions

This comment was marked as outdated.

@github-actions github-actions bot added the 2 weeks inactive An issue that has not been updated by an assignee for two weeks label Feb 24, 2023
@github-actions

This comment was marked as outdated.

@ExperimentsInHonesty

This comment was marked as outdated.

@ExperimentsInHonesty ExperimentsInHonesty removed the 2 weeks inactive An issue that has not been updated by an assignee for two weeks label Feb 26, 2023
@kurikurichan

This comment was marked as outdated.

@ExperimentsInHonesty

This comment was marked as outdated.

@jdingeman jdingeman added Ready for Prioritization and removed role: dev leads Tasks for technical leads ready for dev lead Issues that tech leads or merge team members need to follow up on labels Apr 7, 2023
@jdingeman

This comment was marked as resolved.

@jdingeman jdingeman added the Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly label Apr 7, 2023
@one2code one2code self-assigned this Apr 20, 2023
@github-actions
Copy link

Hi @one2code, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

@one2code
Copy link
Member

Availability: 11 AM - 5PM EST on 4/20/23, 1-4 PM EST on 4/21/23, and available to answer questions at various times between 8 PM -4 AM between 4/21/23 - 4/23/23
ETA: 4/26/23

@one2code
Copy link
Member

Progress: Reviewed relevant documentation and began creating the config file on a new branch
Blockers: Understanding how to create the dependabot.yml, without having admin access in settings to automatically configure the dependabot as show in fig.1 . I reviewed relevant .yml files in the workflows directory to develop a deeper understanding of how to configure the dependabot.
Availability: 4/29/23-4/30/23 afternoon.
ETA: 4/30/23

@github-actions github-actions bot added the To Update ! No update has been provided label May 5, 2023
@one2code
Copy link
Member

one2code commented May 5, 2023

Progress: Created the Dependabot.yml file based on the package managers listed in the package.json/lock file, and enabled version and security updates on my fork
Blockers: Having trouble testing it to verify that it works correctly. Need some guidance.
Availability: 5/5/23 Available 5-10pm EST. Then available to answer private messages on Slack (Travis) at various times throughout the weekend. Will be able to implement recommendations for testing during the evenings on the weekend, and will have all day available on 5/9/23 if need be.
ETA: 5/9/23

@one2code one2code added the Status: Help Wanted Internal assistance is required to make progress label May 5, 2023
@one2code
Copy link
Member

Progress: The Dependabot configuration file is now being read, as determined in insights>dependency graph>dependabot

Blockers: Difficulty in testing Github Actions without merging (create-dependabot.yml#3843 not found). Trying to find a way to test on a different branch. Tried changing the target-branch to "/", same issue persists. The npm package manifest is also not located in root, which will have to be resolved later.

Availability: Afternoon 5/10/23, evening 5/12/23, and afternoon 5/13 + 5/14 EST

ETA: 5/14/23

@blulady
Copy link
Member

blulady commented May 11, 2023

@one2code So it looks like we did do it correctly. It looks like Github no longer creates a public PR but sends an email instead. So check your emails...

@blulady
Copy link
Member

blulady commented May 11, 2023

@one2code So it looks like we did do it correctly. It looks like Github no longer creates a public PR but sends an email instead. So check your emails...

Actually it did create pr's in my repo...

@github-actions github-actions bot removed the To Update ! No update has been provided label May 12, 2023
steven-positive-tran added a commit to steven-positive-tran/website that referenced this issue May 16, 2023
steven-positive-tran added a commit to steven-positive-tran/website that referenced this issue May 16, 2023
one2code added a commit to one2code/website that referenced this issue May 18, 2023
@one2code one2code removed the Status: Help Wanted Internal assistance is required to make progress label May 21, 2023
blulady pushed a commit that referenced this issue May 25, 2023
* dependabot config file

* deleted dependabot config file

* Updated dependabot configuration file

* Updated NPM pathway
@t-will-gillis
Copy link
Member

PR 4733 associated with this issue has been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Complexity: Small Take this type of issues after the successful merge of your second good first issue Feature: Board/GitHub Maintenance Project board maintenance that we have to do repeatedly Feature: Refactor GHA Refactoring GitHub actions to fit latest architectural norms role: back end/devOps Tasks for back-end developers size: 1pt Can be done in 4-6 hours
Projects
7 participants