Add dependabot config #210
Conversation
kolyshkin
requested review from
mrunalp,
rhatdan,
runcom and
thaJeztah
as code owners
|
LGTM, another thread I would like to start is enabling rubberstamp approvals and auto-merge automation for minor dependency updates. Dependabot can create quite a few PRs and overwhelm maintainers. I can try a proof of concept and propose a mechanism separately from this. Perhaps we can start with selinux and if successful apply the mechanism to other projects? cc: @kolyshkin @rhatdan wdyt? |
.github/dependabot.yml
Outdated
| version: 2 | ||
| updates: | ||
| # Dependencies listed in go.mod | ||
| - package-ecosystem: "gomod" |
There was a problem hiding this comment.
With this repository being a library, I don't think we need to update module versions, unless there's a critical reason for it in the call path. Doing so would violate go modules MVS (which requires lowest version to be specified)
There was a problem hiding this comment.
Right. I'll remove this.
(Wonder what to do about other repos such as runc, which is a library and a binary at the same time)
There was a problem hiding this comment.
Yeah, those can be the tricky ones. I think currently it's probably OK (we update main, but not release branches), although we could be more conservative if the updates we pull in bring no changes to code used in runc itself
This way it can create PRs to update github workflow rules deps. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Not a big deal for this repo, as we don't have lots of dependencies and we don't require 2 LGTMs here, so any single maintainer can merge. OTOH I'd love some automation for github.com/opencontainers/runc (which requires two LGTMs, while we can easily do with just one for dependabot and other simple PRs, but I don't know how to do that). |
|
LGTM |
This way it can create PRs to update various dependencies (in Go modules and github workflow rules).
Cc @rhatdan