Closed manics closed 3 years ago
Given the migration to using dependabot
for critical vulnerabilities as well as component upgrade, this proposed change makes sense to me but I think a general team sign-off would be useful as this change will modify the expectations for dependency PRs opened by dependabot
across all components of the project.
Currently, such PRs are not included by default and after a light review these, they can be included manually in the daily CI builds via label/comment. With this proposal, these PRs would be auto-included assuming they pass the other checks and a manual intervention will only be required for excluding/closing them.
No objections but just in case we'd prefer to handle it per repository see https://github.com/dependabot/feedback/issues/139
You can also customise labels in the dependabot config file https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#labels
dependabot adds a
dependencies
label to its PRs. Include this by default inscc merge