Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github: Enable dependabot for stable branch #849

Merged
merged 1 commit into from
Jan 16, 2023
Merged

github: Enable dependabot for stable branch #849

merged 1 commit into from
Jan 16, 2023

Conversation

gandro
Copy link
Member

@gandro gandro commented Jan 12, 2023
edited

Hubble CLI currently maintains support for the last stable branch. To ensure security-relevant depencencies are updated, this commit introduces dependabot for the current (v0.11) stable branch with the following configuration:

  • gomod dependencies are only updated if there is a security vulnerability in one of our dependencies.
  • docker dependencies (i.e. the alpine base image) are only updated to the next patch version
  • github actions are always updated (this mirrors cilium/cilium's configuration)

The goal of this configuration is to ensure we pull in security relevant updates, while keeping the moving parts as low as possible in the stable branch.

@gandro gandro added the release-note/ci This PR makes changes to the CI. label Jan 12, 2023
@gandro gandro requested a review from kaworu January 12, 2023 17:21
@gandro gandro requested a review from a team as a code owner January 12, 2023 17:21
@gandro gandro force-pushed the pr/gandro/dependabot-on-stable-branches branch from 78774dc to e513bb8 Compare January 12, 2023 17:23
kaworu
kaworu requested changes Jan 13, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @gandro, all the changes make sense to me. Added a comment about update-types but other than that LGTM!

.github/dependabot.yml Outdated Show resolved Hide resolved
@kaworu kaworu added the 🤖 area/CI Impacts the testing / continuous integration testing of the project. label Jan 13, 2023
@gandro gandro force-pushed the pr/gandro/dependabot-on-stable-branches branch from e513bb8 to b57c533 Compare January 16, 2023 10:41
@gandro gandro requested a review from kaworu January 16, 2023 10:41
rolinh
rolinh requested changes Jan 16, 2023
View reviewed changes
Copy link
Member

@rolinh rolinh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, lgtm except that the current stable branch is v0.11, not v0.10 🙂

.github/dependabot.yml Outdated Show resolved Hide resolved
.github/dependabot.yml Outdated Show resolved Hide resolved
.github/dependabot.yml Outdated Show resolved Hide resolved
kaworu
kaworu reviewed Jan 16, 2023
View reviewed changes
Copy link
Member

@kaworu kaworu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM besides @rolinh's comment since we released v0.11.

@gandro gandro force-pushed the pr/gandro/dependabot-on-stable-branches branch from b57c533 to d4d2d6a Compare January 16, 2023 14:51
@gandro gandro requested a review from rolinh January 16, 2023 14:51
@gandro
github: Enable dependabot for stable branch
c06c624 
Hubble CLI currently maintains support for the last stable branch. To
ensure security-relevant dependencies are updated, this commit
introduces dependabot for the current (v0.11) stable branch with the
following configuration:

  - gomod dependencies are only updated if there is a security
    vulnerability in one of our dependencies.
  - docker dependencies (i.e. the alpine base image) are only update
    to the next patch version
  - github actions are always updated (this mirrors cilium/cilium's
    configuration)

The goal of this configuration is to ensure we pull in security relevant
updates, while keeping the moving parts as low as possible in the stable
branch.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
@gandro gandro force-pushed the pr/gandro/dependabot-on-stable-branches branch from d4d2d6a to c06c624 Compare January 16, 2023 14:53
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 16, 2023
@gandro gandro merged commit d9b8daa into master Jan 16, 2023
@gandro gandro deleted the pr/gandro/dependabot-on-stable-branches branch January 16, 2023 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaworu kaworu kaworu approved these changes

@rolinh rolinh rolinh approved these changes

Assignees
No one assigned
Labels
🤖 area/CI Impacts the testing / continuous integration testing of the project. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gandro @kaworu @rolinh