Skip to content

Configure Dependabot for critical dependencies with monthly schedule #2194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 20, 2025
Merged

Configure Dependabot for critical dependencies with monthly schedule #2194

merged 2 commits into from
Aug 20, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Aug 5, 2025
edited
Loading

This PR sets up Dependabot to proactively monitor critical dependencies in ref-fvm, providing maintainers with timely notifications about important updates while avoiding excessive noise.

Changes

Updated .github/dependabot.yml to monitor 15 critical dependencies with a monthly schedule:

Security & Performance Critical:

  • wasmtime, wasmtime-environ - Core runtime dependencies requiring careful review

Cryptographic Dependencies:

  • blake2b_simd, k256, bls-signatures - Important for security updates

Core Serialization & Encoding:

  • serde, cid, ipld-core, multihash-codetable, multihash-derive

Filecoin Ecosystem:

  • filecoin-proofs-api, fvm-wasm-instrument

IPLD Encoding:

  • serde_ipld_dagcbor, serde_repr, serde_tuple

Protocol Utilities:

  • unsigned-varint

Approach

  • Monthly schedule (reduced from weekly) to balance awareness with noise reduction
  • Allowlist approach targeting only the most critical dependencies
  • Notification-focused - PRs serve as alerts for planned upgrades rather than auto-merge candidates

This configuration enables proactive dependency management for components that either require careful performance analysis (like wasmtime) or represent security-critical infrastructure, helping maintainers stay ahead of important updates without overwhelming the review process.

Fixes #2188.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • docs.github.com
    • Triggering command: curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@Copilot Copilot AI assigned Copilot and rvagg Aug 5, 2025
@github-project-automation github-project-automation bot moved this to 📌 Triage in FilOz Aug 5, 2025
@Copilot Copilot AI changed the title [WIP] Setup dependabot for key dependencies Configure Dependabot for critical dependencies with monthly schedule Aug 5, 2025
Copilot finished work on behalf of rvagg August 5, 2025 05:53
@Copilot Copilot AI requested a review from rvagg August 5, 2025 05:53
@rvagg rvagg mentioned this pull request Aug 5, 2025
Closed
@rvagg
Copy link
Member

rvagg commented Aug 5, 2025

See notes in #2188, this probably isn't going to work with dependabot the way it is.

@rvagg rvagg marked this pull request as ready for review August 18, 2025 03:15
@Copilot Copilot AI review requested due to automatic review settings August 18, 2025 03:15
Copilot
Copilot AI reviewed Aug 18, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR configures Dependabot for the ref-fvm repository to monitor critical dependencies on a monthly schedule, balancing proactive security awareness with reduced notification noise.

  • Changes update schedule from weekly to monthly intervals
  • Implements an allowlist approach targeting 15 critical dependencies across security, cryptographic, serialization, and Filecoin ecosystem components
  • Focuses on notification-based workflow rather than auto-merge for planned upgrades

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/dependabot.yml
# Critical wasmtime dependencies - require careful review for security and performance
- dependency-name: "wasmtime"
- dependency-name: "wasmtime-environ"
Copy link
Preview

Copilot AI Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency name should be 'wasmtime-environ' with a hyphen, but verify this matches the exact package name in Cargo.toml as Dependabot requires exact naming.

Copilot uses AI. Check for mistakes.

rvagg
rvagg approved these changes Aug 18, 2025
View reviewed changes
Copy link
Member

@rvagg rvagg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dependabot/dependabot-core#12780 is merged and I believe we are just waiting on deploy. Latest dependabot in this repo (I re-ran one just today) where it's looking at wasmtime only still says that it's not eligible to update and I believe it's still running the old dependabot version, but update is imminent I hope.

@codecov-commenter
Copy link

codecov-commenter commented Aug 18, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.56%. Comparing base (b73258b) to head (2798ef0).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #2194   +/-   ##
=======================================
  Coverage   77.56%   77.56%           
=======================================
  Files         147      147           
  Lines       15789    15789           
=======================================
  Hits        12247    12247           
  Misses       3542     3542
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@BigLep BigLep moved this from 📌 Triage to ⌨️ In Progress in FilOz Aug 19, 2025
@rvagg rvagg force-pushed the copilot/fix-2188 branch from 5ab9b05 to 2798ef0 Compare August 20, 2025 10:33
@rvagg rvagg merged commit 1251363 into master Aug 20, 2025
18 checks passed
@rvagg rvagg deleted the copilot/fix-2188 branch August 20, 2025 10:37
@github-project-automation github-project-automation bot moved this from ⌨️ In Progress to 🎉 Done in FilOz Aug 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@rvagg rvagg rvagg approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@rvagg rvagg

Copilot code review Copilot

Labels
None yet
Projects
FilOz
Status: 🎉 Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Setup dependabot for key dependencies
3 participants
@Copilot @rvagg @codecov-commenter