Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable dependabot #1

Merged
merged 1 commit into from
Nov 1, 2024
Merged

feat: enable dependabot #1

merged 1 commit into from
Nov 1, 2024

Conversation

ChristianTackeGSI
Copy link
Member

@ChristianTackeGSI ChristianTackeGSI commented Oct 25, 2024
edited
Loading

@ChristianTackeGSI
feat: enable dependabot
8e17255 
Currently only for github actions
@mattkretz
Copy link
Collaborator

Thanks Christian. To keep with the existing style, there should probably be an addition to the README.md on how to use it in your own repo.

And then, I guess we should add documentation on

  • if/when/why you want to use one of these actions
  • where to find more information

But that doesn't need to be part of this PR.

@mattkretz
Copy link
Collaborator

Oh, and since I have no idea what dependabot does ;) can you tell me why it doesn't go into the workflows directory?

@ChristianTackeGSI
Copy link
Member Author

ChristianTackeGSI commented Oct 31, 2024
edited
Loading

There are lots of docs about dependabot here:
https://docs.github.com/en/code-security/dependabot

Basically it checks for updates of your dependencies and creates a Pull Request to update that dependency. I posted a few example PRs at the top to show how that looks like in the real world.

The dependabot config I added checks for updates of the actions in the Github workflows. This is quite important, as the actions (like checkout@v4) are still quite in flux and some even stop working (for example actions/[email protected], see: GSI-HPC/lustre_exporter#41).

Some other packaging "eco systems" are a bit more complex and involve more thinking. For example updating github.com/prometheus/client_golang in the golang universe raises the minimum required Go version beyond what we have on some of our machines.

@mattkretz
Copy link
Collaborator

Ah, so this PR isn't about providing another .yml for others to copy into their repo but to keep our template up to date?

@ChristianTackeGSI
Copy link
Member Author

Both.

  1. To keep our templates up to date
  2. To update the workflows ("templates") after they have been copied over into another repo
  3. To keep other wofkflows (not from this template repo) in other repos up to date.

@mattkretz
Copy link
Collaborator

I'll just merge and will open an issue about improving the README

@mattkretz mattkretz merged commit b8238f5 into main Nov 1, 2024
2 checks passed
@ChristianTackeGSI ChristianTackeGSI deleted the pr/dependabot branch November 1, 2024 09:04
@ChristianTackeGSI ChristianTackeGSI mentioned this pull request Nov 1, 2024
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dennisklein dennisklein Awaiting requested review from dennisklein

@mattkretz mattkretz Awaiting requested review from mattkretz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ChristianTackeGSI @mattkretz