Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependabot.yml. #8788

Merged
merged 1 commit into from
Sep 21, 2020
Merged

Add dependabot.yml. #8788

merged 1 commit into from
Sep 21, 2020
+18 −0

Conversation

reitermarkus
Copy link
Member

@reitermarkus reitermarkus commented Sep 21, 2020
edited
Loading

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew tests with your changes locally?
  • Have you successfully run brew man locally and committed any changes?

Move to the GitHub-native version of @dependabot.

Sorry, something went wrong.

@reitermarkus
Add dependabot.yml.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
3c1d29d
@reitermarkus reitermarkus merged commit 5d592fb into Homebrew:master Sep 21, 2020
@reitermarkus reitermarkus deleted the dependabot branch September 21, 2020 22:16
MikeMcQuaid
MikeMcQuaid reviewed Sep 22, 2020
View reviewed changes
.github/dependabot.yml
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@reitermarkus Can we move these back to being immediate updates? Weekly is a long time to wait for security updates.

Also: does this support more than security updates e.g. patch versions etc.?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move these back to being immediate updates?

The immediate/daily updates are way too noisy if you ask me.

Also: does this support more than security updates e.g. patch versions etc.?

What do you mean exactly?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The immediate/daily updates are way too noisy if you ask me.

If we can selectively make some (noisy) gems not be immediate: that'd be fine. We want to have immediate security updates.

What do you mean exactly?

Prevoiously we had stuck with the "old" dependabot because the new one didn't support non-security bumps, initially at least. Has this changed?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we can selectively make some (noisy) gems not be immediate: that'd be fine. We want to have immediate security updates.

Which of our dependencies actually pose a security threat that requires immediate action?

Has this changed?

It just bumped the sorbet Gems and it's always bumping the GitHub actions in cask repos, so I think so.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which of our dependencies actually pose a security threat that requires immediate action?

Potentially: any of those that are vendored.

@BrewTestBot BrewTestBot added the outdated PR was locked due to age label Dec 3, 2020
@Homebrew Homebrew locked as resolved and limited conversation to collaborators Dec 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@MikeMcQuaid MikeMcQuaid

Assignees
No one assigned
Labels
outdated PR was locked due to age
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@reitermarkus @MikeMcQuaid @BrewTestBot