Skip to content

chore: add config for enabling Dependabot version updates #1347

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2025
Merged

chore: add config for enabling Dependabot version updates #1347

merged 1 commit into from
Jul 31, 2025

Conversation

@ianbotsf
Copy link
Contributor

@ianbotsf ianbotsf commented Jul 30, 2025

Issue #

(none)

Description of changes

Enables Dependabot version updates.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ianbotsf ianbotsf requested a review from a team as a code owner July 30, 2025 00:44
@ianbotsf ianbotsf added the no-changelog Indicates that a changelog entry isn't required for a pull request. Use sparingly. label Jul 30, 2025
@github-actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions
Copy link

github-actions bot commented Jul 30, 2025

Affected Artifacts

No artifacts changed size

lauzadis
lauzadis approved these changes Jul 30, 2025
View reviewed changes
.github/dependabot.yml
version: 2
updates:
- package-ecosystem: gradle
directory: /
Copy link
Contributor

@lauzadis lauzadis Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the documentation I see:

Use to define the location of the package manifests for each package manager

which makes me think it should be pointing to /gradle? But I also see this:

For GitHub Actions, use the value /.

which I think means Dependabot would automatically upgrade our GitHub action dependencies.

Do we need both?

Copy link
Contributor Author

@ianbotsf ianbotsf Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. Technically, the package manifest for Gradle starts from /settings.gradle.kt (if it exists) and /build.gradle.kts. It typically spiders out from there and may include /gradle/libs.versions.toml but the root is still / I think. I believe this configuration would vary if we had a monorepo containing many independent Gradle projects in various subdirectories.

I found an example in kotlin-logging and they use / too.

.github/dependabot.yml
- package-ecosystem: gradle
directory: /
schedule:
interval: daily # means every _weekday_ (Monday through Friday)
Copy link
Contributor

@lauzadis lauzadis Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to also trigger it on a release of aws-crt-kotlin or aws-kotlin-repo-tools. I don't think that's possible with this yaml configuration though

Copy link
Contributor Author

@ianbotsf ianbotsf Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The options for schedule are pretty limited. It's either a simple interval like daily or a cron expression. I think auto-creating PRs on release of upstream software will require a GitHub action or backend tooling.

Copy link
Contributor

@lauzadis lauzadis Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I was thinking of a GitHub action that can trigger a Dependabot scan manually, there's a bit of discussion here: dependabot/dependabot-core#2980

@ianbotsf ianbotsf merged commit 673e586 into main Jul 31, 2025
22 checks passed
@ianbotsf ianbotsf deleted the chore-dependabot-version-updates branch July 31, 2025 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lauzadis lauzadis lauzadis approved these changes

@0marperez 0marperez 0marperez approved these changes

Assignees

No one assigned

Labels

no-changelog Indicates that a changelog entry isn't required for a pull request. Use sparingly.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ianbotsf @lauzadis @0marperez