feat(dependabot): Add dependabot to check for vulnerabilies and updat… #4035
Conversation
.github/dependabot.yml
Outdated
| schedule: | ||
| interval: daily | ||
|
|
||
| - package-ecosystem: gomod |
There was a problem hiding this comment.
let's group all directories for each package ecosystem together.
See https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#directories for more details.
|
okay, well do you prefer daily checks, or should I make it weekly? |
Signed-off-by: BLANKatGITHUB <[email protected]>
BLANKatGITHUB
force-pushed
the
depandabot-workflow
branch
from
45639a7 to
8222987
Compare
|
Weekly is enough, thanks! 🙏🏼 |
|
well I made adjustments , it will check for latest versions of dependencies , you will have to change the version of languages manually though for python and go . Dependabot makes pr for dependencies not language . |
|
Thanks! |
|
@BLANKatGITHUB dependabot start working but it is a bit noisy :) I saw it is possible to group updates into a single update PR using groups: do you mind improving the file so that it will group the updates under a single |
|
I will try. |
|
Also, worth limiting these updates to (security) patches only if possible. We do not always want to update to latest due to the distribution limitations. |
|
umm I dont understand? You want depandabot to create only security update prs? |
|
@BLANKatGITHUB please look at this PR for example: it was opened with version that is not even present on distributions that we run on (ubuntu 20.04) see here: if we limit updates to patch updates only, hopefully this won't happen. |
|
So basically only security updates right? |
|
yes, if possible |
This will automatically scan for updates in dependencies and create pull request to merge them.
/contrib/charts/dragonflydirectory./tests/dragonflydirectory./tools/replaydirectory./toolsdirectory.