Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add dependabot for github actions #8

Closed
wants to merge 1 commit into from

Conversation

m-fila
Copy link
Contributor

@m-fila m-fila commented Sep 12, 2024

BEGINRELEASENOTES

  • Added dependabot configuration to get updates for github actions

ENDRELEASENOTES

Basic configuration for dependabot to periodicaly scan repo's github workflows and open PR for updating the actions.
I think this might be useful as some of the repos run deprecated versions of actions (key4hep/key4hep-spack#639)

There shouldn't be any conflict as only https://github.com/key4hep/key4hep-julia-fwk and https://github.com/key4hep/spack have already this file

@jmcarcell
Copy link
Member

Should this be pushed to every repository though? The PRs on outdated dependencies on files that are overwritten are useless everywhere else but here. So in this repo it would make sense to run it. In addition, for example for the Key4hep builds in CI, there is an action here that is called from the workflow files, so if the action has outdated dependencies does the bot check it and then make a PR to the original repository? I would think that it doesn't.

@tmadlener
Copy link

Can we configure the dependabot to only monitor the workflows that are not centrally managed? Some repositories might have such workflows. I agree that there is no real need to monitor the common key4hep-build workflow which we push centrally in any case.

@m-fila
Copy link
Contributor Author

m-fila commented Sep 26, 2024

You are right that would create a lot useless PRs for centrally managed actions

so if the action has outdated dependencies does the bot check it and then make a PR to the original repository? I would think that it doesn't.

dependabot will not follow actions to their origin and open PR for its own deps

Can we configure the dependabot to only monitor the workflows that are not centrally managed?

Unfortunately currently this is not possible 😕

I think we could instead put this in key4hep-actions to cover just the managed actions and workflows

@m-fila
Copy link
Contributor Author

m-fila commented Nov 4, 2024

Closing this in favor of key4hep/key4hep-actions#8 for updating centrally managed workflows

@m-fila m-fila closed this Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants