Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: disable dependabot non-security updates #537

Merged

Conversation

agilgur5
Copy link
Contributor

@agilgur5 agilgur5 commented Feb 12, 2024

Motivation

Modifications

  • set open-pull-requests-limit: 0 in dependabot.yml for all our currently specified package ecosystems

  • also re-order the package ecosystems and add some comments equivalent to Workflows

    • could potentially split NPM prod and devDeps in these two as well, but I think this is fine for now

Verification

GH has no way to actually test this, but this same configuration has been used in Workflows for nearly a month now and is also something I previously implemented in other repos that I have maintained (example).

Future Work

Could potentially split NPM prod and devDeps with different settings as mentioned above

- similar to Workflows, most of the automated updates from dependabot here cause problems, a lot of noise, and use up CI time, all without much benefit
  - most often are small patch updates of devDeps that don't affect our usage of them
    - and then subsequent PRs for each individual patch bump etc
    - the vast majority of PRs in this repo are these updates -- noise would be an understatement
  - some also cause a lot of breakage when they pass CI but break something in a way that doesn't have an automated test
    - given that this repo is not maintained much, no one is there to detect that or to ensure deps were properly updated
      - so instead this causes breakage that goes unnoticed or unmentioned for _months_
      - less frequent, manual updates are much, much safer than this as such
        - and since it isn't really maintained, leaving it in a consistent, working state is also much better than an unknown, potentially broken state
        - any dep updates should be _intentional_

- Note that this intentionally _does not_ impact security updates. Security updates will still happen automatically
  - per the [linked docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit):
    > This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.
    - that is why I specifically used this configuration

- also re-order the package ecosystems and add some comments [equivalent to Workflows](https://github.com/argoproj/argo-workflows/blob/66680f1c9bca8b47c40ce918b5d16714058647cb/.github/dependabot.yml#L3)
  - could potentially split NPM prod and devDeps in these two as well, but I think this is fine for now

Signed-off-by: Anton Gilgur <[email protected]>
@agilgur5 agilgur5 added type/dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code javascript Pull requests that update Javascript code labels Feb 12, 2024
Copy link
Member

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analysis makes sense to me. Thanks!

@agilgur5
Copy link
Contributor Author

agilgur5 commented Jul 18, 2024

so instead this causes breakage that goes unnoticed or unmentioned for months

Correction, years, per #567

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
github_actions Pull requests that update GitHub Actions code javascript Pull requests that update Javascript code type/dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants