Configure security vuln dependabot automation for latest image.

prometheus / client_golang

Prometheus instrumentation library for Go applications

https://pkg.go.dev/github.com/prometheus/client_golang

Apache License 2.0

5.43k stars 1.18k forks source link

Configure security vuln dependabot automation for latest image. #1512

Open bwplotka opened 6 months ago

bwplotka commented 6 months ago

I think https://github.com/prometheus/client_golang/security/dependabot works great, but it's easy to forget we might have NOT released those patches on the latest release. Let's make sure we are notified/dependabot ports patches.

See https://github.com/prometheus/client_golang/pull/1494

ying-jeanne commented 2 months ago

Hey @bwplotka, I noticed that Dependabot only updates the default branch for security patches. Do we open to switch to Renovate? the later is used in Mimir, and it handles multiple branches better and seems more flexible. wdyt, or do you have another idea in mind?

bwplotka commented 2 months ago

Whatever works! (:

ArthurSens commented 2 months ago

If we move forward with renovate, I'd love to see this workflow still working 🙈. It currently depends on the github action dependabot/fetch-metadata, not sure how this works with renovate