Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

We don't have a default/consistent dependabot config across repos #28

Closed
1 task done
danswann opened this issue Dec 5, 2023 · 9 comments
Closed
1 task done

We don't have a default/consistent dependabot config across repos #28

danswann opened this issue Dec 5, 2023 · 9 comments
Labels
high priority

Comments

@danswann
Copy link
Member

danswann commented Dec 5, 2023
edited by seanmakesgames
Loading

Problem

Dependabot's automatic security fixes, and additional features like automatic package bumps, can be configured in .github/dependabot.yml.

We don't have a consistent policy in the organization for how to configure dependabot. I propose we create a "default policy" that can be overridden as necessary by repo-local configuration (similar to how we currently handle CONTRIBUTING.md).

Context

A quick search was inconclusive on whether dependabot.yml will be globally respected if put into this special .github repo, or if this only works for issue/PR/etc. templates.

In the latter case, we should still probably come up with a "default policy" that is manually set by those responsible for repo creation / configuration.

TODO

  • In organization settings: enable dependabot security updates for all existing and new repos
@danswann danswann added the needs triage This is a new issue that needs to be reviewed. label Dec 5, 2023
@seanmakesgames
Copy link
Member

dependabot/dependabot-core#3360

@seanmakesgames seanmakesgames removed the needs triage This is a new issue that needs to be reviewed. label Dec 11, 2023
@seanmakesgames
Copy link
Member

Agreed on this. At minimum, we should have our template file in the .github repository

@danswann
Copy link
Member Author

danswann commented Dec 12, 2023
edited
Loading

Looks like this might be less useful than I thought.

The things I was hoping to configure globally (how frequently he checks for package updates, how he groups his PRs, which branch he should target) cannot be configured without first specifying a package ecosystem.

Since not all of our repositories use the same package system, this is basically impossible. We could write a crazy long one that accounts for all our current package managers, but I'm not sure that would work. And we'd have to handle edge cases like how the Go manifest for the discord bot is in a subdirectory.

The repository must also contain a dependency manifest or lock file for each of these package managers.

It's not clear whether this means it will no-op for repos that don't use a given manager, or it will fail completely.
It's likely we'll get the most out of dependabot by just configuring it per-repository.

One thing we can do globally is enable dependabot's security updates/PRs by default for all existing and future repos belonging to the @comcode-org organization. See here.

@danswann
Copy link
Member Author

Agreed on this. At minimum, we should have our template file in the .github repository

@seanmakesgames In light of the above limitations, do you think I should just make a dependabot_template.yml file that can be used as a reference for repo-specific implementations? Or scrap this entirely and just open issues on the other repos?

@seanmakesgames
Copy link
Member

One thing we can do globally is enable dependabot's security updates/PRs by default for all existing and future repos belonging to the https://github.com/comcode-org organization. See here.

Yes. Can you add this as a line item todo in this issue?

@seanmakesgames In light of the above limitations, do you think I should just make a dependabot_template.yml file that can be used as a reference for repo-specific implementations? Or scrap this entirely and just open issues on the other repos?

hmm. I think by turning it on by default, we will start to get PRs opened by it w/ its default settings. Whatever it ends up doing, we'll learn what needs to change in the individual repos. I don't think we need to write issues on repos if we just turn it on for them, that should be good enough to create the inertia.

@danswann
Copy link
Member Author

Yes. Can you add this as a line item todo in this issue?

Done.

hmm. I think by turning it on by default, we will start to get PRs opened by it w/ its default settings.

This is true for security-related updates, but not regular version updates. If we want automatic version bumps we probably have to go repo-local, because e.g. setting up a file in this .github repo for the npm ecosystem will either have no effect on hackmudclient, discord, etc. or outright break.

@seanmakesgames
Copy link
Member

Thanks!

This is true for security-related updates, but not regular version updates. If we want automatic version bumps we probably have to go repo-local, because e.g. setting up a file in this .github repo for the npm ecosystem will either have no effect on hackmudclient, discord, etc. or outright break.

Alright. I think we should just get started with the wiki repo re: auto updates. (make an issue) We'll build this out across repos as we go. We'll call this particular item good with turning on security updates across repos.

@Fayti1703
Copy link
Member

@seanmakesgames has there been any movement on resolving this? To me the reduced... action surface(?) looks like it should be fairly simple to do.

@seanmakesgames
Copy link
Member

I've gone through and updated things and set defaults.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
high priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seanmakesgames @danswann @Fayti1703