Skip to content

Keep GitHub Actions up to date with GitHub's Dependabot #1583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tridge merged 1 commit into from
Jul 24, 2025
Merged

Keep GitHub Actions up to date with GitHub's Dependabot #1583

tridge merged 1 commit into from
Jul 24, 2025

Conversation

@cclauss
Copy link
Contributor

@cclauss cclauss commented Jun 15, 2025
edited
Loading

@Ryanf55
Copy link
Contributor

Ryanf55 commented Jun 16, 2025

How can we run the new workflow to verify it works? Do we have to merge, then wait for the next calendar week to start?

@cclauss
Copy link
Contributor Author

cclauss commented Jun 16, 2025

Merge it, and (if needed) a new pull request will normally be created within about 15 minutes.

Example:

@Ryanf55
Copy link
Contributor

Ryanf55 commented Jun 17, 2025

This reduces maintenance burden of MAVProxy. I would like to try it. Approved!

@peterbarker
Copy link
Contributor

peterbarker commented Jun 17, 2025

We could... but the PRs are likely to be ignored like the pnes for pymavlink are: https://github.com/ArduPilot/pymavlink/pulls?page=2&q=is%3Apr+is%3Aopen

@Ryanf55
Copy link
Contributor

Ryanf55 commented Jun 17, 2025

Better than waiting till the github actions are totally dead and CI breaks though?

@cclauss
Copy link
Contributor Author

cclauss commented Jun 17, 2025
edited
Loading

the PRs are likely to be ignored

GitHub Actions are only used at CI test-time, while most other dependencies are also used at runtime.
This means that if the CI tests pass, maintainers have more confidence that the proposed changes will not break runtime.

GitHub Actions have very infrequent major version changes . setup-python, the most frequent, has only had four major upgrades in its lifetime.

When GitHub Actions are upgraded, it often happens in batches. The pattern: * proposed in this PR will consolidate all GHA updates into a single pull request to further reduce chattiness. Please see the example output provided above.

There is a tradeoff between supply chain security and chattiness. Given that we have a few GHAs that are updated rarely and usually in batches, and we are using pattern: * to ensure that there will only ever be a single GHA upgrade PR at a time.

@rmackay9
Copy link
Contributor

rmackay9 commented Jun 19, 2025

The author ping'd me about this so I've added it to the EUDevCall. I'm not really qualified to review the PR

@cclauss
Copy link
Contributor Author

cclauss commented Jun 29, 2025
edited
Loading

Are there any remaining questions or todos on this one?

This was referenced Jul 15, 2025
Merged
Merged
@tridge tridge merged commit 3ef5734 into ArduPilot:master Jul 24, 2025
2 checks passed
@cclauss cclauss deleted the patch-1 branch July 24, 2025 21:55
@cclauss
Copy link
Contributor Author

cclauss commented Jul 24, 2025

Generated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tridge tridge tridge approved these changes

+1 more reviewer

@Ryanf55 Ryanf55 Ryanf55 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

DevCallEU

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cclauss @Ryanf55 @peterbarker @rmackay9 @tridge