Closed Rotzbua closed 1 year ago
Hmm, I'm not really convinced that we need this. Dependency upgrades almost always break something in some weird configurations (at least that's the case on Android, where I do most of my development). Then I have to spend hours debugging something that I did not want to upgrade in the first place - just because some tool nudged me to upgrade.
I agree that dependabot is difficult tool and should only be used if it adds value.
package-ecosystem: "github-actions"
does only creates PRs to update github action scripts in the folder .github/workflows
. It does not try to update any composer
dependencies.
As far as I know there is no dependency management tool for GH scripts like gh actions update
.
But there are regularly deprecations and update for the basic scripts which cause huge error logs or may stop working
Source ci run: https://github.com/sabre-io/Baikal/actions/runs/4105864168 Source script: https://github.com/sabre-io/Baikal/blob/ba08adbf8646c23c466d529de3dd81581f024563/.github/workflows/ci.yml#L39
More information about the deprecation: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/
Okay, let's try this for a while and see if it gets annoying. Thanks for the PR
@ByteHamster The dependabot can be controlled by command comments without editing the dependabot.yml
, e.g.:
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Currently there is no package manager or similar for GH Actions to manage the dependencies. Dependabot offers to monitor the workflow scripts and propose new versions as PR. Since GH Actions rarely change and no resources should be wasted, a repetition of one month is sufficient.
I would recommend to add the dependabot.yml to every repository with GH action script.