[WOR-1502] Add dependabot configuration. #132
Conversation
|
| - "minor" | ||
| - "patch" | ||
| schedule: | ||
| interval: "monthly" |
There was a problem hiding this comment.
We wanted every 2 weeks, but that is not a supported option (options are daily, weekly, and monthly). I decided to go with monthly over weekly, but with a higher open pull request limit (20).
| directory: "/" | ||
| open-pull-requests-limit: 20 | ||
| groups: | ||
| minor-patch-dependencies: |
There was a problem hiding this comment.
Group minor and patch updates together. Leave major updates as individual PRs since they are more likely to involve a breaking change. This way of grouping PRs has been working well for the Workspaces team.
| timezone: "America/New_York" | ||
| target-branch: "main" | ||
| reviewers: | ||
| - "@DataBiosphere/platform-foundation-codeowners" |
There was a problem hiding this comment.
| - "dependency" | ||
| - "gradle" | ||
| commit-message: | ||
| prefix: "[PF-2983]" |
There was a problem hiding this comment.
Long-lived ticket, https://broadworkbench.atlassian.net/browse/PF-2983
There was a problem hiding this comment.
Something we like to do is add labels which make the PR list a little more visual when viewing https://github.com/pulls/review-requested
There are other times when we manually do library updates so we reserve that prefix for dev-initiated PRs and a slightly different one for dependabot-initiated PRs.
There was a problem hiding this comment.
@rushtong does the automatic linking to the JIRA ticket work with "-dependabot" appended?
There was a problem hiding this comment.
It does link in our board.
There was a problem hiding this comment.
OK, we can always tweak the prefix if people think it helps (I've always found that the titles and labels make it pretty clear).
| commit-message: | ||
| prefix: "[PF-2983]" | ||
| ignore: | ||
| - dependency-name: "org.springframework.boot:spring-boot-gradle-plugin" |
There was a problem hiding this comment.
I added an ignore based on the open PR, #130
| updates: | ||
| - package-ecosystem: "gradle" | ||
| directory: "/" | ||
| open-pull-requests-limit: 20 |
There was a problem hiding this comment.
Do we know how long the initial backlog is? Will 20 per month keep up with the pace of new arrivals?
Do you know how the top 20 updates will be sorted and chosen? (date created first? major first? ( / minor first?) / alphabetically first?)
There was a problem hiding this comment.
I do not know how long the backlog is, but we can always adjust this if necessary. With the grouping of minor/patch, it's possible that 20 will be plenty.
I don't see anything in the documentation about how it decides the ordering (https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#frequency-of-dependabot-pull-requests). Let me know if you find something!
Added a configuration based off of WSM's configuration.