search

sabre-io / Baikal

Baïkal is a Calendar+Contacts server
https://sabre.io/baikal/
GNU General Public License v3.0
2.46k stars 284 forks source link

Add dependabot to create GH action version update PRs #1159

Closed Rotzbua closed 1 year ago

Rotzbua commented 1 year ago

Currently there is no package manager or similar for GH Actions to manage the dependencies. Dependabot offers to monitor the workflow scripts and propose new versions as PR. Since GH Actions rarely change and no resources should be wasted, a repetition of one month is sufficient.

I would recommend to add the dependabot.yml to every repository with GH action script.

ByteHamster commented 1 year ago

Hmm, I'm not really convinced that we need this. Dependency upgrades almost always break something in some weird configurations (at least that's the case on Android, where I do most of my development). Then I have to spend hours debugging something that I did not want to upgrade in the first place - just because some tool nudged me to upgrade.

Rotzbua commented 1 year ago

I agree that dependabot is difficult tool and should only be used if it adds value.

package-ecosystem: "github-actions" does only creates PRs to update github action scripts in the folder .github/workflows. It does not try to update any composer dependencies.

As far as I know there is no dependency management tool for GH scripts like gh actions update.

But there are regularly deprecations and update for the basic scripts which cause huge error logs or may stop working grafik

Source ci run: https://github.com/sabre-io/Baikal/actions/runs/4105864168 Source script: https://github.com/sabre-io/Baikal/blob/ba08adbf8646c23c466d529de3dd81581f024563/.github/workflows/ci.yml#L39

More information about the deprecation: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

ByteHamster commented 1 year ago

Okay, let's try this for a while and see if it gets annoying. Thanks for the PR

Rotzbua commented 1 year ago

@ByteHamster The dependabot can be controlled by command comments without editing the dependabot.yml, e.g.:

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)