Enable dependabot for GitHub Actions dependencies#11093
Enable dependabot for GitHub Actions dependencies#11093tyrasd merged 2 commits intoopenstreetmap:developfrom
Conversation
|
I also played with CodeQL for TypeScript/Javascript, and nodejsscan, as you can see here: develop...Harvester57:iD:develop, but the results (cf. https://github.com/Harvester57/iD/security/code-scanning) are not very convincing, so I left that part out |
|
Will this create single PRs per dependency or one Issue where all changes are collected (this dashboard like issue). Something different: Do you know if openstreetmap/id-tagging-schema#1255 makes sense and if we want it here as well? |
tyrasd
added
the
chore-dependabot
I assume so, but as the github actions only really use a small handfull of dependencies, I don't see a huge influx of new PRs. If you mean this on a general basis: yes, I see that the dependabot PRs can become a bit spammy at times. We could try something else, if you like. But I'm currently failing to find the configuration option to make it do something else than a PR per dependency upgrade. Am I overlooking something?
Interestingly, in the iD repo, dependabot does already do what you've outlined in the mentioned issue: see e.g. https://github.com/openstreetmap/iD/pull/11085/files |
tyrasd
changed the title
|
You can group the dependencies PRs into various groups, such as dev and prod environments, or only security-related updates, etc. The documentation is here: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates |
|
Here is how it looks when grouped: Harvester57#2 I'll try to separate production and dev dependencies in two different groups, then you can have a different scheduling strategy depending on the type (daily for prod, weekly for dev, for example) |
3 participants
This PR adds the following: