Add dependabot #9585

tristan957 · 2024-10-31T00:44:11Z

Our dependencies don't necessarily receive updates unless people run into issues. This should help keep our dependencies in check a little bit better.

tristan957 · 2024-10-31T00:45:26Z

Would we want any of this: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions

Our dependencies don't necessarily receive updates unless people run into issues. This should help keep our dependencies in check a little bit better. Signed-off-by: Tristan Partin <tristan@neon.tech>

tristan957 · 2024-10-31T00:49:33Z

.github/dependabot.yml

+    rebase-strategy: auto
+
+  - directory: /
+    package-ecosystem: docker


I have no clue if this will catch build-tools.Dockerfile and compute-node.Dockerfile

github-actions · 2024-10-31T01:43:35Z

5328 tests run: 5106 passed, 0 failed, 222 skipped (full report)

Code coverage* (full report)

functions: 31.5% (7768 of 24686 functions)
lines: 49.0% (61002 of 124616 lines)

* collected from Rust tests only

_{The comment gets automatically updated with the latest test results
3dd61ed at 2024-10-31T01:43:34.720Z :recycle:}

mickael-carl · 2024-10-31T05:17:28Z

.github/dependabot.yml

+    package-ecosystem: cargo
+    schedule:
+      interval: daily
+    rebase-strategy: auto


I'd actually do

Suggested change

rebase-strategy: auto

rebase-strategy: disabled

Everywhere, because otherwise everytime main changes you get a crazy amount of Github Actions triggered and that'll be quite expensive. Folks can easily do @dependabot rebase manually when needed?

mickael-carl · 2024-10-31T05:18:58Z

.github/dependabot.yml

+      interval: daily
+    rebase-strategy: auto
+
+  - directory: test_runner/pg_clients/csharp/npgsql


You could use the directories key to make this less verbose I think? See e.g. https://github.com/neondatabase/infra/blob/main/.github/dependabot.yml for an example?

arpad-m

I think it would be nice to group the individual updates into a combined commit to reduce the spam of both PRs and commits that end up later in the log.

arpad-m · 2024-10-31T05:30:49Z

.github/dependabot.yml

+  - directory: /
+    package-ecosystem: cargo
+    schedule:
+      interval: daily


I think daily interval is too often, weekly would be better.

tristan957 requested a review from a team October 31, 2024 00:44

Add dependabot

3dd61ed

Our dependencies don't necessarily receive updates unless people run into issues. This should help keep our dependencies in check a little bit better. Signed-off-by: Tristan Partin <tristan@neon.tech>

tristan957 force-pushed the tristan957/dependabot branch from e60b4b4 to 3dd61ed Compare October 31, 2024 00:48

tristan957 commented Oct 31, 2024

View reviewed changes

mickael-carl reviewed Oct 31, 2024

View reviewed changes

arpad-m reviewed Oct 31, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add dependabot #9585

Add dependabot #9585

tristan957 commented Oct 31, 2024

tristan957 commented Oct 31, 2024

tristan957 Oct 31, 2024

github-actions bot commented Oct 31, 2024

mickael-carl Oct 31, 2024

mickael-carl Oct 31, 2024

arpad-m left a comment

arpad-m Oct 31, 2024

Add dependabot #9585

Are you sure you want to change the base?

Add dependabot #9585

Conversation

tristan957 commented Oct 31, 2024

tristan957 commented Oct 31, 2024

tristan957 Oct 31, 2024

Choose a reason for hiding this comment

github-actions bot commented Oct 31, 2024

5328 tests run: 5106 passed, 0 failed, 222 skipped (full report)

Code coverage* (full report)

mickael-carl Oct 31, 2024

Choose a reason for hiding this comment

mickael-carl Oct 31, 2024

Choose a reason for hiding this comment

arpad-m left a comment

Choose a reason for hiding this comment

arpad-m Oct 31, 2024

Choose a reason for hiding this comment