Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Use dependabot #111

Merged
merged 1 commit into from Jun 14, 2020
Merged

Enhancement: Use dependabot #111

merged 1 commit into from Jun 14, 2020

Conversation

localheinz
Copy link
Contributor

@localheinz localheinz commented Feb 5, 2020
edited

This PR

馃拋鈥嶁檪 This probably requires to set up Dependabot and disable Violinist - is this something you would be up for, @Jan0707?

@localheinz localheinz closed this Mar 1, 2020
@localheinz localheinz deleted the feature/dependabot branch March 1, 2020 09:32
@localheinz localheinz restored the feature/dependabot branch March 1, 2020 09:33
@localheinz localheinz reopened this Mar 1, 2020
@Jan0707
Copy link
Owner

Jan0707 commented May 12, 2020

What's the benefit that we see here ?

@localheinz
Copy link
Contributor Author

@Jan0707

Dependabot can be configured to

  • update composer.json as well
  • automatically merge pull requests when the build passes

For reference, see https://dependabot.com/docs/config-file/.

I believe the most compelling argument is that pull requests can be automatically merged.

Apart from that, Dependabot has been acquired by GitHub and is the de-facto standard solution for updating dependencies for a wide range of package managers.

@localheinz
Copy link
Contributor Author

@Jan0707

Violinist currently updates composer.lock only, which is pretty much useless, as we run builds against lowest, locked, and highest versions.

@Jan0707
Copy link
Owner

Jan0707 commented May 12, 2020

I feel this would bind us even more to Github and its eco system. Is that a shared concern? If not then we could go ahead.

@Jan0707
Copy link
Owner

Jan0707 commented May 18, 2020

ping @localheinz
I assume you think this is a worthwhile trade-off ?

@localheinz
Copy link
Contributor Author

localheinz commented Jun 14, 2020
edited

@Jan0707

With Dependabot moving natively into GitHub, I think that the switch makes a lot of sense.

In addition, the latest version of Dependabot allows updating GitHub Actions as well.

@localheinz localheinz merged commit 458c95a into Jan0707:master Jun 14, 2020
@localheinz localheinz deleted the feature/dependabot branch June 14, 2020 22:42
@violinist-bot violinist-bot mentioned this pull request Jun 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jan0707 Jan0707 Awaiting requested review from Jan0707 Jan0707 is a code owner

Assignees

@Jan0707 Jan0707

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@localheinz @Jan0707