Conversation
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
|
All commit authors signed the Contributor License Agreement. |
|
Most changes to Python require a NEWS entry. Please add it using the blurb_it web app or the blurb command-line tool. |
| ignore: | ||
| - dependency-name: "*" | ||
| update-types: | ||
| - "version-update:semver-minor" | ||
| - "version-update:semver-patch" |
There was a problem hiding this comment.
dependabot doesn't just update GHA, this looks like will cause deps in Doc/requirements.txt to start pinging us with every micro-release, no?
There was a problem hiding this comment.
It's not visible in the PR diff, but the start of this block in the dependabot.yml file declares it's only for GitHub Actions.
There is another block with - package-ecosystem: pip which handles version bumps for Python dependencies, but it's actually only looking at the /Tools/ directory. And that block doesn't have an ignore field, so CPython is currently receiving minor and patch version bumps for those dependencies (example).
However, Doc/requirements.txt is currently ignored by dependabot version bumps. (But it still receives security updates whenever a dependency has a vulnerability).
|
Thanks for the PR, closing per discussion in #109110. |
5 participants
Fixes #109110.
This PR hash-pins all GitHub Actions and configures dependabot to keep them up-to-date with a single monthly PR. This will increase the resiliency of the repo's workflows in the face of broken or malicious versions of any Actions.
I don't believe this change requires a NEWS entry, but let me know and I'll add one.