From 3c2970bc136aa20bab325fc863e471469f0d6b6e Mon Sep 17 00:00:00 2001
From: Anton Gilgur <agilgur5@gmail.com>
Date: Mon, 12 Feb 2024 16:51:46 -0500
Subject: [PATCH] ci: disable dependabot non-security updates

- similar to Workflows, most of the automated updates from dependabot here cause problems, a lot of noise, and use up CI time, all without much benefit
  - most often are small patch updates of devDeps that don't affect our usage of them
    - and then subsequent PRs for each individual patch bump etc
    - the vast majority of PRs in this repo are these updates -- noise would be an understatement
  - some also cause a lot of breakage when they pass CI but break something in a way that doesn't have an automated test
    - given that this repo is not maintained much, no one is there to detect that or to ensure deps were properly updated
      - so instead this causes breakage that goes unnoticed or unmentioned for _months_
      - less frequent, manual updates are much, much safer than this as such
        - and since it isn't really maintained, leaving it in a consistent, working state is also much better than an unknown, potentially broken state
        - any dep updates should be _intentional_

- Note that this intentionally _does not_ impact security updates. Security updates will still happen automatically
  - per the [linked docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit):
    > This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.
    - that is why I specifically used this configuration

- also re-order the package ecosystems and add some comments [equivalent to Workflows](https://github.com/argoproj/argo-workflows/blob/66680f1c9bca8b47c40ce918b5d16714058647cb/.github/dependabot.yml#L3)
  - could potentially split NPM prod and devDeps in these two as well, but I think this is fine for now

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
---
 .github/dependabot.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9b95a5ef..ec969cf9 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,14 +1,19 @@
 version: 2
 updates:
-
-  - package-ecosystem: "github-actions"
+  # prod dependencies
+  - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "saturday"
+    # ignore all non-security updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit
+    open-pull-requests-limit: 0
 
-  - package-ecosystem: "npm"
+  # build / CI dependencies
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "saturday"
+    # ignore all non-security updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit
+    open-pull-requests-limit: 0