-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github: Enable dependabot for stable branch #849
Conversation
78774dc
to
e513bb8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @gandro, all the changes make sense to me. Added a comment about update-types
but other than that LGTM!
e513bb8
to
b57c533
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, lgtm except that the current stable branch is v0.11, not v0.10 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM besides @rolinh's comment since we released v0.11
.
b57c533
to
d4d2d6a
Compare
Hubble CLI currently maintains support for the last stable branch. To ensure security-relevant dependencies are updated, this commit introduces dependabot for the current (v0.11) stable branch with the following configuration: - gomod dependencies are only updated if there is a security vulnerability in one of our dependencies. - docker dependencies (i.e. the alpine base image) are only update to the next patch version - github actions are always updated (this mirrors cilium/cilium's configuration) The goal of this configuration is to ensure we pull in security relevant updates, while keeping the moving parts as low as possible in the stable branch. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
d4d2d6a
to
c06c624
Compare
Hubble CLI currently maintains support for the last stable branch. To ensure security-relevant depencencies are updated, this commit introduces dependabot for the current (v0.11) stable branch with the following configuration:
The goal of this configuration is to ensure we pull in security relevant updates, while keeping the moving parts as low as possible in the stable branch.