Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: enable dependabot #1

Merged
merged 1 commit into from
Nov 1, 2024
Merged

feat: enable dependabot #1

merged 1 commit into from
Nov 1, 2024

Conversation

ChristianTackeGSI
Copy link
Member

@ChristianTackeGSI ChristianTackeGSI commented Oct 25, 2024

Currently only for github actions
@mattkretz
Copy link
Collaborator

Thanks Christian. To keep with the existing style, there should probably be an addition to the README.md on how to use it in your own repo.

And then, I guess we should add documentation on

  • if/when/why you want to use one of these actions
  • where to find more information

But that doesn't need to be part of this PR.

@mattkretz
Copy link
Collaborator

Oh, and since I have no idea what dependabot does ;) can you tell me why it doesn't go into the workflows directory?

@ChristianTackeGSI
Copy link
Member Author

ChristianTackeGSI commented Oct 31, 2024

There are lots of docs about dependabot here:
https://docs.github.com/en/code-security/dependabot

Basically it checks for updates of your dependencies and creates a Pull Request to update that dependency. I posted a few example PRs at the top to show how that looks like in the real world.

The dependabot config I added checks for updates of the actions in the Github workflows. This is quite important, as the actions (like checkout@v4) are still quite in flux and some even stop working (for example actions/upload-artifact@v1.0.0, see: GSI-HPC/lustre_exporter#41).

Some other packaging "eco systems" are a bit more complex and involve more thinking. For example updating github.com/prometheus/client_golang in the golang universe raises the minimum required Go version beyond what we have on some of our machines.

@mattkretz
Copy link
Collaborator

Ah, so this PR isn't about providing another .yml for others to copy into their repo but to keep our template up to date?

@ChristianTackeGSI
Copy link
Member Author

Both.

  1. To keep our templates up to date
  2. To update the workflows ("templates") after they have been copied over into another repo
  3. To keep other wofkflows (not from this template repo) in other repos up to date.

@mattkretz
Copy link
Collaborator

I'll just merge and will open an issue about improving the README

@mattkretz mattkretz merged commit b8238f5 into main Nov 1, 2024
2 checks passed
@ChristianTackeGSI ChristianTackeGSI deleted the pr/dependabot branch November 1, 2024 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants