Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add dependabot for github actions #228

Open
Rotzbua opened this issue Apr 17, 2024 · 3 comments
Open

feat: Add dependabot for github actions #228

Rotzbua opened this issue Apr 17, 2024 · 3 comments

Comments

@Rotzbua
Copy link
Contributor

Rotzbua commented Apr 17, 2024

Problem

The GH actions workflows seem outdated.

grafik

Solution

Dependabot can provide PRs.

Recommendation

Because dependabot can be really annoying I recommend:

  • just monthly check
  • grouped PR
  • only GH actions dependencies
@Rotzbua Rotzbua changed the title Add dependabot for github actions feat: Add dependabot for github actions Apr 17, 2024
@Gallaecio
Copy link
Member

I’m not sure we need dependabot. It feels like it only makes sense for projects (i.e. with requirements.txt), not libraries meant to work with multiple versions of libraries (even vulnerable ones).

@FriedrichFroebel
Copy link
Contributor

This depends on how you want to use it. This issue primarily seems to be about automated updates for GitHub Actions, which is completely independent from Python package updates (although both use the dependabot approach).

Regarding Python packages: There are multiple approaches to this and no clearly defined way. For example: Use a dedicated requirements file which pins all versions to the latest versions known to work with the latest Python version supported. Once dependabot detects a package update for one of the pinned dependencies, let it open a PR and let GitHub Actions/CI automatically ensure that the latest package versions do not break the library code.

@Gallaecio
Copy link
Member

This issue primarily seems to be about automated updates for GitHub Actions.

Interesting.

Once dependabot detects a package update for one of the pinned dependencies, let it open a PR and let GitHub Actions/CI automatically ensure that the latest package versions do not break the library code.

Very interesting. On very active projects it might not be that useful, but in projects that are actively maintained but get no new features often like this one, this sounds quite useful.

Although I wonder if it would not be too noisy, creating a PR every time a dependency releases a new version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants