Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: dependabot workflow automation for updating dependency #969

Closed
wants to merge 1 commit into from
Closed

feat: dependabot workflow automation for updating dependency #969

wants to merge 1 commit into from

Conversation

Rajpratik71
Copy link

Signed-off-by: Pratik Raj Rajpratik71@gmail.com

@Rajpratik71
feat: dependabot workflow automation for updating dependency
6c9e0fc 
Signed-off-by: Pratik Raj <Rajpratik71@gmail.com>
sudo-bmitch
sudo-bmitch approved these changes Nov 8, 2022
View reviewed changes
Copy link
Contributor

@sudo-bmitch sudo-bmitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

sparr
sparr approved these changes Jun 16, 2023
View reviewed changes
Copy link
Contributor

@sparr sparr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was surprised to see that "/" is the appropriate directory for the github-actions pacakge-ecosystem. https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directory

tianon
tianon reviewed Apr 25, 2024
View reviewed changes
Copy link
Member

@tianon tianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, I'm personally NACK on this -- we're a Go library, and the version we choose for our dependencies puts constraints on every project who imports us, so auto-updating our Go dependencies is the opposite of what we should do, IMO.

See https://research.swtch.com/vgo-mvs for more details about Go's methodology on dependency versioning.

sudo-bmitch
sudo-bmitch requested changes Jul 18, 2024
View reviewed changes
Copy link
Contributor

@sudo-bmitch sudo-bmitch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Tianon on this one. I thought this was for the security updates, but we already have those enabled on the project. For other dependencies, that can be done on an as-needed basis.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon left review comments

@sudo-bmitch sudo-bmitch sudo-bmitch requested changes

@sparr sparr sparr approved these changes

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr jonjohnsonjr is a code owner

@jonboulle jonboulle Awaiting requested review from jonboulle

@stevvooe stevvooe Awaiting requested review from stevvooe stevvooe is a code owner

@sajayantony sajayantony Awaiting requested review from sajayantony sajayantony is a code owner

@vbatts vbatts Awaiting requested review from vbatts

@cyphar cyphar Awaiting requested review from cyphar cyphar is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Rajpratik71 @sparr @tianon @sudo-bmitch