Skip to content

Configure Dependabot pull requests for GitHub Actions #44677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
desrosj merged 1 commit into from
Oct 6, 2022
Merged

Configure Dependabot pull requests for GitHub Actions #44677

desrosj merged 1 commit into from
Oct 6, 2022

Conversation

@desrosj
Copy link
Member

@desrosj desrosj commented Oct 4, 2022

What?

This adds a dependabot.yml file configuring automatic pull requests when there are updates to third-party GitHub Actions released.

Why?

This helps keep our workflows using the latest versions of third-party actions. These can easily fall out of date.

@desrosj desrosj self-assigned this Oct 4, 2022
@desrosj
Copy link
Member Author

desrosj commented Oct 6, 2022

Wanted to note that we could also configure dependabot PRs for npm dependencies, but I don't think this would have any affect currently because we choose to pin exact versions in our package.json file. The alerts would only work if there were ranges defined using ^, ~, etc. to allow semver updats.

youknowriad
youknowriad approved these changes Oct 6, 2022
View reviewed changes
Copy link
Contributor

@youknowriad youknowriad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's see how this goes

@desrosj desrosj merged commit d67ed9f into trunk Oct 6, 2022
@desrosj desrosj deleted the add/github-actions-dependabot-pulls branch October 6, 2022 13:30
@github-actions github-actions bot added this to the Gutenberg 14.4 milestone Oct 6, 2022
@desrosj
Copy link
Member Author

desrosj commented Oct 6, 2022

Just to document, I chatted briefly with @youknowriad about this. There was some apprehension as dependabot can be quite noisy at times, and there's not always a lot of benefit to applying every bug fix release. The number of PRs can be limited, but they'll never end in a project of this size.

Dependabot alerts for npm are configured by default, but they are sparse in this repo because exact versions are pinned in our package.json files. Any PRs for npm package updates are from dependencies deeper down the dependency graph (dependencies of our dependencies). So there's probably some benefit there, as these could be npm audit related.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@youknowriad youknowriad youknowriad approved these changes

Assignees

@desrosj desrosj

Labels

None yet

Projects

None yet

Milestone

Gutenberg 14.4

Development

Successfully merging this pull request may close these issues.

3 participants

@desrosj @youknowriad