-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: configure the labels for dependabot PRs #1407
ci: configure the labels for dependabot PRs #1407
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I know you said it should be straightforward, but I'm a little confused -- good thing you didn't request a review from me ;) I do want to ask though -- is this changing the schedule for python security dependency updates from monthly to daily? Knowing earlier about security updates does seem like a good thing. It also seems odd that just changing the labels requires adding a new |
No. Dependabot security updates are mostly separate from regular dependabot. They're mostly configured elsewhere and have a schedule managed by GitHub that can't be adjusted. I'm not certain, but I think this slightly messy situation exists because the security updates system existed in GitHub before they acquired dependabot so it's two independently built systems that have been mushed together.
It's because the security updates can't be configured to do different things with labels, but do inherit what's in the 'regular' dependabot config, including labels. The limit on PRs does not impact security, so it's how you have the config for the 'regular' updates so the joint options are picked up without actually turning the 'regular' updates on. I believe the docs explicitly recommend this somewhere but couldn't find it with a quick search. |
Thanks for the explanation, @tonyandrewmeyer, super helpful! I guess with security updates being managed separately from the dependabot schedule, and |
Yes, exactly. |
For GitHub actions dependabot PRs: only use the `dependencies` label, rather than both that and `github_actions`. For pip (Python) dependabot PRs: we only have security dependabot PRs enabled, so add the same label restriction (avoiding a `python` label) but this requires adding a section to configure dependabot, and then essentially disabling most of it by setting the maximum PRs to 0 (security PRs will still be opened).
For GitHub actions dependabot PRs: only use the `dependencies` label, rather than both that and `github_actions`. For pip (Python) dependabot PRs: we only have security dependabot PRs enabled, so add the same label restriction (avoiding a `python` label) but this requires adding a section to configure dependabot, and then essentially disabling most of it by setting the maximum PRs to 0 (security PRs will still be opened).
For GitHub actions dependabot PRs: only use the
dependencies
label, rather than both that andgithub_actions
.For pip (Python) dependabot PRs: we only have security dependabot PRs enabled, so add the same label restriction (avoiding a
python
label) but this requires adding a section to configure dependabot, and then essentially disabling most of it by setting the maximum PRs to 0 (security PRs will still be opened).