Tweak dependabot configuration - or not? #3366
Conversation
jkonecny12
added
master
There was a problem hiding this comment.
I think "dependabot as a heads-up" is fine. We can always re-evaluate that choice to drop it completely. However, I think it's useful for getting release notes like this. I don't have to manage all the actions one by one, subscribing to each and unsubscribing again.
|
Thanks for these reactions. In that case, I wonder how to make it obvious that we don't want to merge these PRs. Maybe have a special label "won't merge"? Is that too stupid solution? |
Add: - automatically set 'infrastructure' label to PR - add '(#infra):' prefix to the commit messages (don't have suffix support) Can't be done: We can't have support for multiple branches. Only the default branch is allowed which is a bit pain :(.
jkonecny12
force-pushed
the
master-improve-dependabot-conf
branch
from
003b041 to
5291f27
Compare
|
Rebased |
|
/kickstart-test --testtype smoke |
|
I don't think anyone [with the power to do it] would merge such a PR - either they don't know and then they won't do it, or they do know and will not merge it. In case we are all run over by a mob of buses and this is merged, dependabot will keep going and proposing the PRs. Presumably our clueless successors will just go with it and stay safe. |
It's safe for the default branch but not for other branches created from the default one. However, I agree, I might starting to be a bit paranoid here. |
Add:
Can't be done:
We can't have support for multiple branches. Only the default branch is allowed which is a bit pain :(.
Because of the second, I'm thinking if we want to have the dependabot at all. The problem is that branches created from the main branch would be stuck on the old action version forever and if there will be a security vulnerability than someone could just create PR to the other branch with the outdated version...
So maybe we want to have dependabot support but not merging these PRs. Basically just stay with the moving tag what we have now and having dependabot just as a heads-up that there is a new version of the action available? What do you think?