enable Dependabot v2 #243
enable Dependabot v2 #243
Conversation
https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ Signed-off-by: Sean C. Sullivan <github@seansullivan.com>
|
@lukasj WDYT? |
|
not a blocker for the current release, can wait for the next one |
| schedule: | ||
| interval: "daily" | ||
| time: "02:00" | ||
| - package-ecosystem: "github-actions" |
There was a problem hiding this comment.
Actions are not enabled here and no action is executed, so why have this ecosystem covered at all?
There was a problem hiding this comment.
Did someone say that actions can never be enabled here?
There was a problem hiding this comment.
Will you accept gradle ecosystem as well, as noone said it can never be migrated to gradle then?
There was a problem hiding this comment.
Enabling actions is about filing a bug to the repo owners should it bring in some benefits - how much time that needs? 10 minutes? Have anyone had cycles to investigate benefits it can bring as well as its disadvantages? Compare that with effort needed to convert this project, and thus all ee4j projects, to gradle. Discussion wrt gradle was on the table in the past but who and when would do that work?
There was a problem hiding this comment.
I used gradle only as example of other not needed now dependabot ecosystem.
There was a problem hiding this comment.
auto-update of dependencies is good thing to have, some projects are using jenkins for it. These projects may go away from that solution at some point and move to what's suggested here too. It is just not the right time to make decision and merge/work on this now.
https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/