Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Ensure Sentry SDK is always bumped by dependabot #77678

Closed
wants to merge 1 commit into from
Closed

ci: Ensure Sentry SDK is always bumped by dependabot #77678

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 21 additions & 3 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,6 @@ updates:
babel-dependencies:
patterns:
- '@babel/*'
sentry-dependencies:
patterns:
- '@sentry/*'
spectrum-dependencies:
patterns:
- '@react-stately/*'
Expand Down Expand Up @@ -63,6 +60,27 @@ updates:
- dependency-name: 'reflux'
- dependency-name: 'sprintf-js'
- dependency-name: 'u2f-api'
# For Sentry SDK updates, we do not want to limit the open PRs
- package-ecosystem: npm
open-pull-requests-limit: 0
Comment on lines +63 to +65
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it works like this -- last we tried you can only have one npm section in a dependabot config

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah damn, that sucks - I thought that would work :( does that mean it is not possible to realize this? 😬
What are thoughts about increasing the PR limit (10), or finding a different way to deal with those? As of now dependabot seems basically blocked because of open PRs with low prio 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

afaik for packages we care about we've just been doing them periodically on our own. dependabot isn't very good at bumping packages anyway (lol I know right?) so it's been smoother when a person does it

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I mean this is what we kind of did so far, but we always lag behind a bit with the SDK and it would be nice to be up-to-date there, as it is our premier dogfooding app as well 🤔

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah doesn't seem to be supported: dependabot/dependabot-core#1778

Though looks like there's a workaround if you have one config set target-branch: master

directory: '/'
schedule:
# Going to start with a high interval, and then tone it back
interval: daily
timezone: America/Los_Angeles
time: '15:30'
reviewers:
- '@getsentry/owners-js-deps'
labels: []
# Group dependency updates together in one PR
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
groups:
# The name of the group, it will be used in PR titles and branch
sentry-dependencies:
patterns:
- '@sentry/*'
update-types:
- 'minor'
- package-ecosystem: 'docker'
directory: 'self-hosted/'
schedule:
Expand Down
Loading