Replies: 5 comments
-
|
Could be also helpful for drone, couldn't it? Lately it was kind of slow with him and I guess if we drop all those dependabot PRs that are running there as well could be at least a little bit beneficial. |
Beta Was this translation helpful? Give feedback.
-
|
we could move to a weekly mode for checking the deps and submitting PRs. |
Beta Was this translation helpful? Give feedback.
-
|
@tboerger would you see this as a quick thing or is this more involved ? (not asking you to do it, just to get an idea in case we decide to do this ourselves) the bot would need to not sure yet what to do if such PR already exists from the past week |
Beta Was this translation helpful? Give feedback.
-
|
It should be possible to build such a pipeline within drone, there are plugins available to do git pushs and also to create pull requests. we could even add a script that just closes previous pull requests if it got some kind of indicator like a specific label. This pipeline could be triggered by the builtin cron to something like weekly. |
Beta Was this translation helpful? Give feedback.
-
|
with dependabot being aquired by github and slowly getting integrated into github itself I think this all just a matter of time. |
Beta Was this translation helpful? Give feedback.
-
Our working pattern so far in the last weeks was to ignore the huge list of dependabot PRs and rather do a single "update deps" pull request every week. This also aligns with our weekly (beta) releases.
I find the long list of dependabot PRs to be noisy and we could disable dependabot altogether, with the condition that we are able to setup a process that automatically updates all libs at once. It seems dependabot is not yet able to do that: https://github.com/dependabot/feedback/issues/5
The exception would be for security updates. Still, we have snyk already and Github warnings for security, in which cases we can also take care.
Thoughts ? @DeepDiver1975 @LukasHirt
Beta Was this translation helpful? Give feedback.
All reactions