Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds Dependabot configuration to automate dependency updates for the repository. The configuration enables monthly automated dependency updates for both Rust cargo dependencies and GitHub Actions, with a conservative limit of one open pull request per ecosystem to avoid overwhelming maintainers.
Changes:
- Added
.github/dependabot.ymlto configure automated dependency updates for cargo and GitHub Actions ecosystems
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
rvagg
left a comment
rvagg
left a comment
There was a problem hiding this comment.
@LesnyRumcajs I don't mind doing all, but I'm personally not going to keep up with them all.
open-pull-requests-limit: 1 with a monthly frequency isn't going to work. We use 10 in lotus and it's been good for not getting a complete flood of updates - if you can't get through 10 then you're not going to get through more. But 1 means you'll get one update per month to deal with cause it'll run once a month, open a PR, then bork when it tries to do another.
Another option that I'd suggest is https://github.com/FilOzone/synapse-sdk/blob/88d6f25b1724c76ea8e4632df41a392d6a771767/.github/dependabot.yml#L13-L14 to deal with supply chain attacks. I've been using 5 for my own projects to give even more breathing room, you could go even larger and I'd be fine with that.
|
Interesting, I didn't know about this As for others, we currently use the group patch (introduced now - I forgot about it, sorry!) in Forest and it's been pretty much okay. I changed the interval of cargo updates to weekly, but still 1 PR allowed. Let me know if it works for you. |
rvagg
left a comment
rvagg
left a comment
There was a problem hiding this comment.
sure, if you want, I'm skeptical of the 1 but I guess we'll find out, a dribble is better than not dealing with these at all
github-project-automation
bot
moved this from ⌨️ In Progress
to ✔️ Approved by reviewer
in FilOz
github-project-automation
bot
moved this from ✔️ Approved by reviewer
to 🎉 Done
in FilOz
Configured basic dependabot for the repo. Do we want to limit the dependencies scanned like in https://github.com/filecoin-project/ref-fvm/blob/f3629afcc9e339a89c4f2440edb77b09b11588c7/.github/dependabot.yml#L8-L35? Not sure. I think we should allow all updates.