From 4634320b3a08ba7ddec79d90a6c96c7bb57c7631 Mon Sep 17 00:00:00 2001 From: ChrisBAshton Date: Thu, 17 Oct 2024 10:43:18 +0100 Subject: [PATCH] Disable all Dependabot updates apart from security ones Updating Rails and govuk_publishing_components can be particularly onerous. A recent release of govuk_publishing_components v40+ (updating apps to govuk-frontend v5) required updating a number of files, which has proven complex enough for Content Publisher that it was split out of the general card and given its own card. At time of writing, there are four open Dependabot PRs for Content Publisher for ruby, all with failing tests. We believe the risk of changing the dependabot policy for these repos is low. If there were a security risk with a dependency, and if applying it was made more difficult due to us having fallen too far behind, we could either persevere with the patching, or use it as impetus to prioritise retiring the app, or temporarily take the app offline. In any case, usage is so negligible that publisher activity is unlikely to be affected. Disabling non-security updates as per: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates > If you only require security updates and want to exclude version updates, you can set open-pull-requests-limit to 0 in order to prevent version updates for a given package-ecosystem. Trello: https://trello.com/c/kpf7rWEq/2979-change-dependabot-configs-for-content-publisher-and-maslow --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3da4d9ce46..4a1fb31f10 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,7 +4,9 @@ updates: directory: / schedule: interval: daily + open-pull-requests-limit: 0 - package-ecosystem: npm directory: / schedule: interval: daily + open-pull-requests-limit: 0