As a developer I’d like to ensure regular and automated dependency updates for the turtles code to fix security vulnerabilities in a timely manner with ability to adapt the workflow steps to match repository code and CI requirements.
Detailed Description
Currently we are using dependabot workflow to make dependency bumps. While this approach is sufficient for the simple dependency updates, it is problematic in go.mod dependency bumps scenarios when there are multiple packages co-dependent on each other.
This way a dependency bump in one package requires a cascade update of the dependency in other packages. It is simple to achieve with a make generate task, but there is no place in a regular dependabot workflow to define user-specified steps to extend default handling.
What would you like to be added (User Story)?
As a developer I’d like to ensure regular and automated dependency updates for the turtles code to fix security vulnerabilities in a timely manner with ability to adapt the workflow steps to match repository code and CI requirements.
Detailed Description
Currently we are using dependabot workflow to make dependency bumps. While this approach is sufficient for the simple dependency updates, it is problematic in
go.mod
dependency bumps scenarios when there are multiple packages co-dependent on each other.This way a dependency bump in one package requires a cascade update of the dependency in other packages. It is simple to achieve with a
make generate
task, but there is no place in a regular dependabot workflow to define user-specified steps to extend default handling.We need to explore alternatives to extend regular uscase, using https://github.com/renovatebot as it is approved by security or using updatecli.
An example configuration for rancher dependabot, as well as updatecli can be found in fleet:
Anything else you would like to add?
Additional details/prior history are also in https://github.com/rancherlabs/eio/issues/2143 and https://github.com/rancherlabs/eio/issues/1879
Label(s) to be applied
/kind feature /kind cleanup