Enable / Debug dependabot #397
Comments
vaikas
added
enhancement
|
Related: the need to bump the melange dependency has been documented here (perhaps not the correct place?) |
|
Thank you!!! I totally missed it 🤣 |
|
afaik Dependabot will not update dependencies if that is not pinned and it is based on the for example: #284 this was using the main branch and dependabot saw a tag and upgrade that. we have a few options here: |
|
I think from these comments I just wasn't aware of the fact that one needs to tag things if pipelines are changed. The document that @stormqueen1990 pointed to was great, but I just wasn't aware of it, so I missed it. Maybe it's just as simple as adding a little blurp into the PR that says, if you modify (I assume it's not only constrained to new pipelines, but any modifications to pipelines) you must tag after it's been merged. Or, maybe a variation of 1.1 would be only tag if pipelines dir has been merged daily and tag it with something like YYYYMMDD. I have no idea how hard the above would be to do, and I don't want to waste time on something that is sounding like just my missing of the documents. |
Description
It was not immediately clear why some of the changes in melange made ~week ago were not showing up in the CI pipeline that was causing then some unexpected errors. Thanks to @joshrwolf debugging and fixing it here:
#396
We should be getting a more up-to-date melange. This is especially important if new pipelines are added, like here:
chainguard-dev/melange#679
My expectation was that this would surface ~next day after all the propagations to dependabots, and digestabots, etc. and that clearly didn't happen here. Seems like if we could remove the manual step above, we'd be well on our way to not having to remember to manually bump things.
@cpanato would you mind taking a look at this and see if this could be sorted?
The text was updated successfully, but these errors were encountered: