Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(dependabot): ignore minor and patch github-actions updates #1224

Merged
merged 1 commit into from Nov 17, 2021
Merged

build(dependabot): ignore minor and patch github-actions updates #1224

merged 1 commit into from Nov 17, 2021

Conversation

Fdawgs
Copy link
Member

@Fdawgs Fdawgs commented Nov 17, 2021

GitHub introduced the ability to ignore specific updates back in May.
This PR should stop Dependabot flooding PRs with every minor and patch update of GitHub's own actions every day.

Happy to make change for rest of Pino repos if wanted.

Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina
Copy link
Member

amazing work!

@mcollina mcollina merged commit b37a947 into pinojs:master Nov 17, 2021
@Fdawgs Fdawgs deleted the build/dependabot branch November 17, 2021 09:36
@mcollina
Copy link
Member

Go ahead and roll it out throughout the org.

This was referenced Nov 17, 2021
@simoneb
Copy link
Contributor

simoneb commented Nov 17, 2021

Just curious, apart from reducing the noise, why would you want to avoid getting any updates other than major?

@jsumners
Copy link
Member

Just curious, apart from reducing the noise, why would you want to avoid getting any updates other than major?

We don't "avoid getting any updates". We avoid getting constant bumps to configuration files for explicit version numbers. This change says "I don't care what version of the v2 line of checkout you use, just use the latest v2".

@Fdawgs
Copy link
Member Author

Fdawgs commented Nov 17, 2021

Just curious, apart from reducing the noise, why would you want to avoid getting any updates other than major?

GitHub's own actions follow this tag style for releases, so specifying actions/setup-node@v2 will get the latest v2.x.x of that action.

@simoneb
Copy link
Contributor

simoneb commented Nov 17, 2021

Ah interesting, I didn't know. From what I understand it isn't generally true that using v2 means that you're getting whatever is the latest v2, it is true only as long as the publisher of the action moves the v2 tag to refer to whatever is the latest. This is something that GitHub is doing with their own actions it seems, but I'm not sure how widespread a practice this is.

@jsumners
Copy link
Member

Very true. In my org, we use these vX tags for GitHub authored actions. For others, we pin to the full git SHA.

@github-actions
Copy link

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants