search

opencontainers / runc

CLI tool for spawning and running containers according to the OCI specification
https://www.opencontainers.org/
Apache License 2.0
11.73k stars 2.09k forks source link

[rfc] switch from dependabot to renovate? #4341

Open cyphar opened 2 months ago

cyphar commented 2 months ago

On the private repo, dependapot produces a lot of spam (so much so that there are stores in https://github.com/dependabot/dependabot-core/issues/2804 of it exhausting the billing cap of an organisation). They have added a mitigation for forks, but for a private copy that won't help us.

Some folks mentioned that renovate doesn't have this issue. Maybe we should look into whether switching is worth it or not?

For the meantime, I have the following saved reply which I've used for all of the spam PRs, which hopefully will reduce the spam:

@dependabot ignore this dependency

Closing because this is a fork and we do not want dependency update spam here.

###### This a dependabot issue: `https://github.com/dependabot/dependabot-core/issues/2804`
rata commented 2 months ago

The runc-private seems to be a copy of the repo, so not a fork nor anything. Can't we just disable dependabot there? I can't see why we can't have a different configuration on a completely different repo.

It seems to be disabled now, btw. Maybe you did that?

cyphar commented 2 months ago

You can't make private forks, so we had to make a copy.

AFAICS you can't disable dependabot if there is a config file in the repo. At the bottom of dependabot/dependabot-core#2804 they mention that they are considering expanding the ability to disable dependabot for non-forks, but at the moment you can't disable it AFAICS (there's no disable button in the settings panel for dependabot/security scanners).

I use a saved reply to mass-disable dependabot notifications for individual dependencies (for all of the PRs it had opened), but that doesn't mean it won't ping for a different dependency in the future.

rata commented 2 months ago

Oh, thanks. It seems if we let it rot for 90 days, it should auto-stop: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates

And it is the same for version updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates

I wonder if that would do the trick for us?

I'm not against switching to renovate, but I haven't done any due diligence to know we can trust them.