Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(dependabot): revise configuration #10186

Merged
merged 1 commit into from
Oct 2, 2024
Merged

chore(dependabot): revise configuration #10186

merged 1 commit into from
Oct 2, 2024

Conversation

turadg
Copy link
Member

@turadg turadg commented Oct 2, 2024
edited
Loading

incidental

Description

To reduce manual effort to keep dependencies green.

There was already a dependabot config file but it seems inoperational.

This changes it to

  • Operate on all package directories
  • Update devDependencies too
  • Weekly instead of daily
  • Only "patch" level bug fixes for now

If that doesn't start it running I'll dig in more

Security Considerations

Trusts Github to only update patch releases. Increases rate of supply chain updates.

But this is just automating what we do already. PRs will still be reviewed.

Scaling Considerations

none

Documentation Considerations

none

Testing Considerations

Needs master to test

Upgrade Considerations

none

@turadg
chore(dependabot): revise configuration
d37de09 
Operate on all package directories
Update devDependencies too
Weekly instead of daily
Only "patch" level bug fixes for now
@turadg turadg requested review from kriskowal and mujahidkay October 2, 2024 19:00
@turadg turadg marked this pull request as ready for review October 2, 2024 19:02
@turadg turadg requested a review from a team as a code owner October 2, 2024 19:02
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

Deploying agoric-sdk with  Cloudflare Pages  Cloudflare Pages

Latest commit: d37de09
Status: ✅  Deploy successful!
Preview URL: https://52450a07.agoric-sdk.pages.dev
Branch Preview URL: https://ta-dependabot.agoric-sdk.pages.dev

View logs

mujahidkay
mujahidkay approved these changes Oct 2, 2024
View reviewed changes
Copy link
Member

@mujahidkay mujahidkay left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Increases rate of supply chain updates

If it's just automating what we already do, is it really increasing the rate? 🤔 (for my understanding)

@turadg
Copy link
Member Author

turadg commented Oct 2, 2024

If it's just automating what we already do, is it really increasing the rate?

The manual process is ad-hoc and less than weekly.

@turadg turadg added automerge:rebase Automatically rebase updates, then merge bypass:integration Prevent integration tests from running on PR labels Oct 2, 2024
@mergify mergify bot merged commit 18a1b58 into master Oct 2, 2024
102 of 104 checks passed
@mergify mergify bot deleted the ta/dependabot branch October 2, 2024 19:32
@turadg turadg mentioned this pull request Oct 2, 2024
Merged
mergify bot added a commit that referenced this pull request Oct 2, 2024
@mergify
chore(dependabot): operate only on workspace roots (#10187)
483939c 
incidental

## Description

[#10186](#10186) ran but timed out: https://github.com/Agoric/agoric-sdk/actions/runs/11150379306/job/30991381517

Reviewing the logs it looks like it did a lot of duplicate work querying for each package. Maybe that's a bug in Dependabot. Meanwhile, we only need to update the yarn.lock so this leaves out the 'packages" wildcard. It adds two other top-level directories that are Yarn workspaces.

### Security Considerations
none
### Scaling Considerations
none

### Documentation Considerations
none

### Testing Considerations
have to test in master

### Upgrade Considerations
none
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mujahidkay mujahidkay mujahidkay approved these changes

@kriskowal kriskowal Awaiting requested review from kriskowal

Assignees
No one assigned
Labels
automerge:rebase Automatically rebase updates, then merge bypass:integration Prevent integration tests from running on PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@turadg @mujahidkay