New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(Renovate): improve security posture of setup and other general improvements #22479
Conversation
Signed-off-by: secustor <sebastian@poxhofer.at>
…d workarounds, as well dependency dashboard Signed-off-by: secustor <sebastian@poxhofer.at>
Signed-off-by: secustor <sebastian@poxhofer.at>
Signed-off-by: secustor <sebastian@poxhofer.at>
Uffizzi Cluster |
Hi! Thanks. I'll bring it up with the other maintainers. In the mean time, seems the config file isn't prettier formatted - try |
labels: ['dependencies'], | ||
extends: ['config:base', ':disableDependencyDashboard', ':gitSignOff'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just more curiosity on my part but why do you recommend enabling the dependency dashboard? If you have some documentation on this I'm fine with you just pointing me that way 👍
Some background, I help support the Backstage Demo site (https://github.com/backstage/demo) and often help people on the Backstage Discord server. I'm slowly working on a tutorial with some guidance on using Renovate with Backstage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The dashboard is our main way to communicate with users. We show there ignored ( manually closed ) updates, rate limited ones ( because the concurrency limit has been reached ) and error. From there you can also can force a recreation of PRs.
https://docs.renovatebot.com/key-concepts/dashboard/
Looking forward to it! I'm working on a blog regarding Backstage and Renovate too.
See renovatebot/renovate#2958 as an example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the links! Do you have insights on using the Dependency Dashboard (which is basically a public issue) versus using the this - https://developer.mend.io/github/backstage/backstage - which does the same things but isn't public as best as I can tell. Also, for larger projects how do you handle that the issue can get lost in all the other issues? Do you just recommend pinning it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The developer portal is as far as I know also public, an exception are the logs of Renovate runs. Be aware that I have no insight how it functions in the background as this is part of Mends setup and not of the OSS project. Therefore could be that the portal does not show everything from the issue or vice versa.
Yes, we recommend pinning the issue, but it is also possible to give it a better searchable name or specific labels for better discovery.
https://docs.renovatebot.com/configuration-options/#dependencydashboardtitle
https://docs.renovatebot.com/configuration-options/#dependencydashboardlabels
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for the reply, appreciate it! 🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, I think it looks good! 👍
Happy about trying out the dashboard, we can always disable it if it doesn't work out.
Same thing with the increased concurrency limit. I think it makes sense because we often hit the point of too many blocked PRs to let more straight-forward bumps through.
Hey, I just made a Pull Request!
These are some basic changes to your Renovate configuration, which I would recommend.
If you have questions or are not agreeing, to these changes, I can provide some input here.
It may be of interest that Renovate has currently 107 updates pending on this repository, so there is quite a backlog.
Changes:
config:best-practices
instead ofconfig:base
which includes in turnconfig:recommended
Consider the input in this guide. I'm happy to help you to improve your workflow here.
✔️ Checklist
Signed-off-by
line in the message. (more info)