Skip to content

Conversation

@agriyakhetarpal
Copy link
Member

Description

This pull request closes #78; it aims to add Dependabot to our repository for maintaining our workflows, and for downstream I have yet to test it out on my fork!

Here's a brief list of TODO items before we should be ready:

  • Add documentation on how to use, configure, and maintain Dependabot
    • Add links to GitHub's documentation
    • Explain that Dependabot has to be enabled in the settings once they create a repository
    • Add a guide on what Dependabot does and how to handle incoming PRs for package updates
  • Ensure that Dependabot can update GitHub Actions dependencies in our repository's workflows
  • Explore whether Dependabot can update GitHub Actions dependencies in the template's files

@lwasser
Copy link
Member

lwasser commented Jun 24, 2025

Hey there @agriyakhetarpal, I'm just checking in on this pr. It's been open for a while. Is there a. minimal version of the TODO's that we could consider to make it ready for review? Perhaps we just add dependabot as a first step?

@agriyakhetarpal
Copy link
Member Author

Hi @lwasser, thanks for the ping! I'm sorry about the delay in my response here – I have a bunch of notifications I'm supposed to be working through :)

Dependabot is able to update GitHub Actions dependencies in files under .github/workflows/, of course. However, in a fork that I set up previously, I struggled to make it work with the latter point:

Explore whether Dependabot can update GitHub Actions dependencies in the template's files

Dependabot can't recognise these files, unfortunately – so I think we would need a manual way to sync dependencies between .github/workflows/ and the template files. We could write a script to do this and have a bot run it so that it updates the template's workflow files automatically, perhaps using some regex operations or sed commands. Still, it would not be smart enough to figure out merge conflicts. It could potentially overwrite intentional changes to workflows (say, if we add temporary comments around a GitHub Actions step or comment out a step if it's broken or not needed). This way is directly opposite to what we discussed in the issue linked to this PR, #78, where you mentioned:

The first one is surely not ideal, so we should explore if Dependabot will choose to be the star here or not 😉

So, I do think adding Dependabot as the first step would be sufficient, at least for the repository, and we can keep the issue open. We also have to note that even if the template's GitHub Actions dependencies are out of date, Dependabot will create a PR to update them as soon as it's enabled in a package's repository. The only trouble I can see from that is that if the actions used get terribly out of date, we would put the user in a situation where they need to update to newer versions of the actions themselves to get them in a workable state.


This PR is ready for review as is, right now – the only parts missing are the documentation updates for explaining to our users how to use Dependabot effectively to maintain the package(s) they generate from the template.

@agriyakhetarpal agriyakhetarpal marked this pull request as ready for review July 14, 2025 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Explore dependabot to keep our (pinned) actions up to date

2 participants