Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for dependabot #289

Merged
merged 1 commit into from
Jan 5, 2022
Merged

Added support for dependabot #289

merged 1 commit into from
Jan 5, 2022

Conversation

Akasurde
Copy link
Contributor

What this PR does / why we need it:

  • added support for dependabot

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #280

Additional information

Special notes for your reviewer

@Akasurde
Added support for dependabot
58b3907 
* added support for dependabot
@anusha94
Copy link
Contributor

anusha94 commented Jan 3, 2022

@Akasurde
Thank you for the PR!
Trying to understand what this PR does. Please correct me if I'm wrong.

From the changes, it looks like the GH action will scan weekly for dependabot vulnerabilities in gomod? Is it also fixed automatically? As in, will it also raise a PR with the correct dependent versions?

@Akasurde
Copy link
Contributor Author

Akasurde commented Jan 4, 2022
edited
Loading

From the changes, it looks like the GH action will scan weekly for dependabot vulnerabilities in gomod?

yes

Is it also fixed automatically? As in, will it also raise a PR with the correct dependent versions?

yes, dependabot will weekly check the dependencies and fix them using PR. We would require to review PR and merge it.
I kept scanning frequency weekly since we will not change dependencies daily. I can change it to daily if you defer to my opinion.

@anusha94
Copy link
Contributor

anusha94 commented Jan 4, 2022

@Akasurde

Thank you for the explanation! Weekly sounds good to me. Let's get this merged!

@anusha94 anusha94 requested a review from dharmjit January 4, 2022 10:22
dharmjit
dharmjit approved these changes Jan 5, 2022
View reviewed changes
Copy link
Contributor

@dharmjit dharmjit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for your contribution @Akasurde 🎉

@anusha94 anusha94 merged commit 947ca81 into vmware-tanzu:main Jan 5, 2022
@Akasurde Akasurde deleted the dependabot branch January 5, 2022 04:39
@Akasurde
Copy link
Contributor Author

Akasurde commented Jan 5, 2022

@anusha94 @dharmjit Thanks for the review and merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anusha94 anusha94 anusha94 approved these changes

@dharmjit dharmjit dharmjit approved these changes

@shamsher31 shamsher31 Awaiting requested review from shamsher31

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Automate Dependabot security updates
3 participants
@Akasurde @anusha94 @dharmjit