Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure security vuln dependabot automation for latest image. #1512

Open
bwplotka opened this issue May 9, 2024 · 3 comments
Open

Configure security vuln dependabot automation for latest image. #1512

bwplotka opened this issue May 9, 2024 · 3 comments
Labels
help wanted

Comments

@bwplotka
Copy link
Member

bwplotka commented May 9, 2024

I think https://github.com/prometheus/client_golang/security/dependabot works great, but it's easy to forget we might have NOT released those patches on the latest release. Let's make sure we are notified/dependabot ports patches.

See #1494
@bwplotka bwplotka mentioned this issue May 9, 2024
Merged
@ying-jeanne
Copy link
Contributor

ying-jeanne commented Sep 16, 2024
edited
Loading

Hey @bwplotka, I noticed that Dependabot only updates the default branch for security patches. Do we open to switch to Renovate? the later is used in Mimir, and it handles multiple branches better and seems more flexible. wdyt, or do you have another idea in mind?

@bwplotka
Copy link
Member Author

Whatever works! (:

@ArthurSens
Copy link
Member

If we move forward with renovate, I'd love to see this workflow still working 🙈. It currently depends on the github action dependabot/fetch-metadata, not sure how this works with renovate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bwplotka @ArthurSens @ying-jeanne