Disable automatic updates in org for this repo

fastify / workflows

Reusable workflows for use in the Fastify organization

MIT License

9 stars 6 forks source link

Disable automatic updates in org for this repo #108

Open jsumners opened 10 months ago

jsumners commented 10 months ago

https://github.com/fastify/workflows/pull/107 added a v4 tag so that we can prepare for fastify@5 across all repos. Unfortunately, Dependabot started updating all of our repos from workflows@3 to workflows@4. And then an automation (https://github.com/fastify/workflows/pull/107#issuecomment-1789536706) started merging them.

We need to disable this automation for the workflows repo across all projects. We will only ever release a new major of workflows that imposes a major change in all repos that depend upon it.

attn: @mcollina @Fdawgs

nrayburn-tech commented 10 months ago

Is there a better way to do this other than what is being done for the tap dependency? https://github.com/fastify/fastify/issues/5116#issuecomment-1790152300

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#ignore

General syntax I think (not sure about the dependency-name, haven't been able to find docs for referring to the github action name).

updates:
  - package-ecosystem: "github-actions"
    groups:
        ignore:
        - dependency-name: "plugins-ci"
          update-types: ["version-update:semver-major"]

jsumners commented 10 months ago

The documentation is at https://github.com/fastify/github-action-merge-dependabot#excluding-packages. But I'm not clear if that works with GitHub Actions. It's possible that test needs to be conducted to determine the answer. But maybe one of the maintainers of that action will know (I have never even looked at the code, so I'm not one of them).