add dependabot support for npm and go dependencies #1347
Conversation
|
|
There was a problem hiding this comment.
Quick question: we want to have full control over the upgrade of some of our go dependencies (the ms graph code and Kopia come to mind). Sometimes upgrading these could cause things to break in ways that can only be discovered with more thorough testing outside of CI. Will this interfere with that?
Great question! Yes, it would update those dependencies. If we agree that critical dependencies should only be updated manually - I can tell dependabot to ignore those deps. |
@vkamra @dadams39 should we add kopia and all the ms graph stuff to the ignore list? |
Yep - let's just remove automerge on |
| on: | ||
| pull_request: | ||
| paths-ignore: | ||
| - "src/**" # prevent auto-merge for go dependencies |
There was a problem hiding this comment.
Unfortunately auto-merge config does not support ignore options.
paths-ignore prevents the auto-merge action from running for go dependencies under src/.
.github/dependabot.yml
Outdated
| schedule: | ||
| interval: "weekly" | ||
| reviewers: | ||
| - "alcion/platform" |
There was a problem hiding this comment.
Should this also be Corso maintainers?
uncledru
changed the title
|
Kudos, SonarCloud Quality Gate passed!
|
Description
Adds dependabot support to
corso/src(go).Adds dependabot support to
corso/website(npm).Adds dependabot support to
corso/docs(npm).Adds dependabot support to
corsofor actions as well.Warning that dependabot emails can get noisy so everyone may need to add email rules/update repository notifications 😭
PR limit ofWorking well in5here to test and we can increase as needed.ark. Increased to 50 w/ auto-merge.Type of change
Please check the type of change your PR introduces:
Linear Issue(s)
Test Plan
Merge and see what happens (no way to currently test dependabot config).