ci: disable dependabot non-security updates #537
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- similar to Workflows, most of the automated updates from dependabot here cause problems, a lot of noise, and use up CI time, all without much benefit
- most often are small patch updates of devDeps that don't affect our usage of them
- and then subsequent PRs for each individual patch bump etc
- the vast majority of PRs in this repo are these updates -- noise would be an understatement
- some also cause a lot of breakage when they pass CI but break something in a way that doesn't have an automated test
- given that this repo is not maintained much, no one is there to detect that or to ensure deps were properly updated
- so instead this causes breakage that goes unnoticed or unmentioned for _months_
- less frequent, manual updates are much, much safer than this as such
- and since it isn't really maintained, leaving it in a consistent, working state is also much better than an unknown, potentially broken state
- any dep updates should be _intentional_
- Note that this intentionally _does not_ impact security updates. Security updates will still happen automatically
- per the [linked docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit):
> This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.
- that is why I specifically used this configuration
- also re-order the package ecosystems and add some comments [equivalent to Workflows](https://github.com/argoproj/argo-workflows/blob/66680f1c9bca8b47c40ce918b5d16714058647cb/.github/dependabot.yml#L3)
- could potentially split NPM prod and devDeps in these two as well, but I think this is fine for now
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
agilgur5
added
type/dependencies
crenshaw-dev
approved these changes
Feb 13, 2024
This was referenced Feb 13, 2024
This was referenced Jul 18, 2024
Correction, years, per #567 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
similar to Workflows ci: disable non-security dependabot updates argo-workflows#12487, most of the automated updates from dependabot here cause problems, a lot of noise, and use up CI time, all without much benefit
Note that this intentionally does not impact security updates. Security updates will still happen automatically
Modifications
set
open-pull-requests-limit: 0independabot.ymlfor all our currently specified package ecosystemsalso re-order the package ecosystems and add some comments equivalent to Workflows
Verification
GH has no way to actually test this, but this same configuration has been used in Workflows for nearly a month now and is also something I previously implemented in other repos that I have maintained (example).
Future Work
Could potentially split NPM prod and devDeps with different settings as mentioned above