cpanato
commented
1 year ago This only enables the automerge feature; it does not merge it. I agree to enable that for dependabot PRs. Let me do that for the main repos
Closed haydentherapper closed 2 months ago
cpanato
commented
1 year ago This only enables the automerge feature; it does not merge it. I agree to enable that for dependabot PRs. Let me do that for the main repos
cpanato
commented
1 year ago lets try in the timestamp first and then replicate to others
I think the vast majority, if not all, dependabot PRs are merged once tests pass. This is manual, and while it's not that much of a burden, I think we can automate this. See https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request for instructions on how to set this up.
When there's a major Go version update, I think we have to do something manually too, so maybe we don't merge those automatically.
I'm also not sure if we would need to update tests that are required for each repo, or if branch protection should limit merging if any test, required or not, fails.
I'd suggest this be enabled for the larger repos (Rekor, Fulcio, Cosign), and for others, maintainers can decide if they want to enable it or not.
cc @cpanato - Thoughts?