-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We don't have a default/consistent dependabot config across repos #28
Comments
Agreed on this. At minimum, we should have our template file in the .github repository |
Looks like this might be less useful than I thought. The things I was hoping to configure globally (how frequently he checks for package updates, how he groups his PRs, which branch he should target) cannot be configured without first specifying a package ecosystem. Since not all of our repositories use the same package system, this is basically impossible. We could write a crazy long one that accounts for all our current package managers, but I'm not sure that would work. And we'd have to handle edge cases like how the Go manifest for the discord bot is in a subdirectory.
It's not clear whether this means it will no-op for repos that don't use a given manager, or it will fail completely. One thing we can do globally is enable |
@seanmakesgames In light of the above limitations, do you think I should just make a |
Yes. Can you add this as a line item todo in this issue?
hmm. I think by turning it on by default, we will start to get PRs opened by it w/ its default settings. Whatever it ends up doing, we'll learn what needs to change in the individual repos. I don't think we need to write issues on repos if we just turn it on for them, that should be good enough to create the inertia. |
Done.
This is true for security-related updates, but not regular version updates. If we want automatic version bumps we probably have to go repo-local, because e.g. setting up a file in this |
Thanks!
Alright. I think we should just get started with the wiki repo re: auto updates. (make an issue) We'll build this out across repos as we go. We'll call this particular item good with turning on security updates across repos. |
@seanmakesgames has there been any movement on resolving this? To me the reduced... action surface(?) looks like it should be fairly simple to do. |
I've gone through and updated things and set defaults. |
Problem
Dependabot's automatic security fixes, and additional features like automatic package bumps, can be configured in
.github/dependabot.yml
.We don't have a consistent policy in the organization for how to configure dependabot. I propose we create a "default policy" that can be overridden as necessary by repo-local configuration (similar to how we currently handle
CONTRIBUTING.md
).Context
A quick search was inconclusive on whether
dependabot.yml
will be globally respected if put into this special.github
repo, or if this only works for issue/PR/etc. templates.In the latter case, we should still probably come up with a "default policy" that is manually set by those responsible for repo creation / configuration.
TODO
The text was updated successfully, but these errors were encountered: