Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace dependabot automation action with groups feature #487

Merged
merged 1 commit into from
Nov 7, 2023
Merged

Replace dependabot automation action with groups feature #487

merged 1 commit into from
Nov 7, 2023

Conversation

grahamalama
Copy link
Contributor

@grahamalama grahamalama commented Oct 30, 2023
edited
Loading

Closes #486

@grahamalama grahamalama requested a review from a team as a code owner October 30, 2023 17:31
leplatrem
leplatrem reviewed Nov 3, 2023
View reviewed changes
.github/workflows/ci.yaml
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Enable Dependabot automation
uses: mozilla/syseng-pod/actions/dependabot-automerge@main
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😢
Since Dev dependencies are not "deployed", shall we keep this automerge for them?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We set up a dependabot group for all development dependencies so while it's not automatic, it's still fewer clicks.

I'm still overall wary about automatically merging code from a security perspective. Even running a compromised linting tool locally (for example) could pose a risk.

.github/dependabot.yml
groups:
production-dependency-patches:
dependency-type: "production"
update-types: ["patch"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we group all patches together, but minor and major will get independent requests.

If we don't increase the schedule to "weekly", then there are less likely to be grouped, no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The schedule should remain weekly

@grahamalama grahamalama merged commit 976fa79 into main Nov 7, 2023
6 of 7 checks passed
@grahamalama grahamalama deleted the dependabot-groups branch November 7, 2023 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leplatrem leplatrem leplatrem approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace Dependabot automation with groups
2 participants
@grahamalama @leplatrem