Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependabot config #210

Merged
merged 1 commit into from
Feb 14, 2024
Merged

Add dependabot config #210

merged 1 commit into from
Feb 14, 2024

Conversation

kolyshkin
Copy link
Collaborator

This way it can create PRs to update various dependencies (in Go modules and github workflow rules).

Cc @rhatdan

@austinvazquez
Copy link
Contributor

austinvazquez commented Feb 13, 2024

LGTM, another thread I would like to start is enabling rubberstamp approvals and auto-merge automation for minor dependency updates. Dependabot can create quite a few PRs and overwhelm maintainers. I can try a proof of concept and propose a mechanism separately from this. Perhaps we can start with selinux and if successful apply the mechanism to other projects? cc: @kolyshkin @rhatdan wdyt?

version: 2
updates:
# Dependencies listed in go.mod
- package-ecosystem: "gomod"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this repository being a library, I don't think we need to update module versions, unless there's a critical reason for it in the call path. Doing so would violate go modules MVS (which requires lowest version to be specified)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. I'll remove this.

(Wonder what to do about other repos such as runc, which is a library and a binary at the same time)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, those can be the tricky ones. I think currently it's probably OK (we update main, but not release branches), although we could be more conservative if the updates we pull in bring no changes to code used in runc itself

This way it can create PRs to update github workflow rules deps.

Signed-off-by: Kir Kolyshkin <[email protected]>
@kolyshkin
Copy link
Collaborator Author

LGTM, another thread I would like to start is enabling rubberstamp approvals and auto-merge automation for minor dependency updates. Dependabot can create quite a few PRs and overwhelm maintainers. I can try a proof of concept and propose a mechanism separately from this. Perhaps we can start with selinux and if successful apply the mechanism to other projects? cc: @kolyshkin @rhatdan wdyt?

Not a big deal for this repo, as we don't have lots of dependencies and we don't require 2 LGTMs here, so any single maintainer can merge.

OTOH I'd love some automation for github.com/opencontainers/runc (which requires two LGTMs, while we can easily do with just one for dependabot and other simple PRs, but I don't know how to do that).

@kolyshkin kolyshkin requested a review from thaJeztah February 13, 2024 18:13
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

updating actions sounds good to me, and shouldn't hurt. Let's see if the "daily" works well

@rhatdan
Copy link
Collaborator

rhatdan commented Feb 14, 2024

LGTM

@rhatdan rhatdan merged commit a11dd36 into opencontainers:main Feb 14, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants