Skip to content

dependabot trial #35223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

dependabot trial #35223

wants to merge 4 commits into from
+23 −0

Conversation

techknowlogick
Copy link
Member

I know we have renovate (and we should use that long term), but I'm interested in seeing what dependabot will provide.

I've grouped all the ecosystem types into one PR per ecosystem so as not to overwhelm the PR page.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Aug 6, 2025
@techknowlogick techknowlogick added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Aug 6, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Aug 6, 2025
@silverwind
Copy link
Member

silverwind commented Aug 7, 2025
edited
Loading

npm dependencies @primer/octicons and material-icon-theme require make svg && git add --all to be executed after updating them. Also, go dependencies need make tidy to regenerate the license json.

I don't suppose these bots can such things?

@silverwind
Copy link
Member

Maybe it needs something like https://github.com/orgs/community/discussions/48498#discussioncomment-5159337.

@silverwind
Copy link
Member

silverwind commented Aug 7, 2025
edited
Loading

We could potentially move all generation to build time as dependency of the frontend target, but that would likely add 30s+ time to the build and break use cases like:

  • node/npm-less offline build from a tarball (I'd drop support for this)
  • offline build in general because the go-licenses tool need to be fetched (maybe we should add a dedicted OFFLINE_BUILD variable to skip this step.

@techknowlogick
Copy link
Member Author

@silverwind ah yes. I'd rather not have it be a build step (at least not be a part of this PR), since this is just to see what dependabot is like, so I've just removed npmdep management from this PR.

@silverwind
Copy link
Member

silverwind commented Aug 8, 2025
edited
Loading

It also affect go deps because of the license build, so sadly we need to either move the license build to a build-time dependency or try dependabot/dependabot-core#5962 (comment) or https://github.com/orgs/community/discussions/48498#discussioncomment-5159337.

@silverwind
Copy link
Member

Other option may be to remove the license build completely, I never was a big fan of it 😉.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
lgtm/need 1 This PR needs approval from one additional maintainer to be merged. modifies/internal skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@techknowlogick @silverwind @lunny @GiteaBot