Skip to content

Enable Dependabot for GitHub Actions #22378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 13, 2024
Merged

Enable Dependabot for GitHub Actions #22378

merged 1 commit into from
Jun 13, 2024

Conversation

@nineinchnick
Copy link
Member

@nineinchnick nineinchnick commented Jun 13, 2024

Description

Dependabot will automatically open pull requests to update GitHub Actions. The main benefit of this is knowing that new versions are available, especially if third-party GitHub Actions are pinned to specific versions. Running it weekly should give enough time to review updates, and also react swiftly to potential security updates.

Additional context and related issues

Release notes

(x) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

Enable Dependabot for GitHub Actions
da33ae6 
Dependabot will automatically open pull requests to update GitHub
Actions. The main benefit of this is knowing that new versions are
available, especially if third-party GitHub Actions are pinned to
specific versions. Running it weekly should give enough time to review
updates, and also react switfly to potential security updates.
@cla-bot cla-bot bot added the cla-signed label Jun 13, 2024
@nineinchnick nineinchnick mentioned this pull request Jun 13, 2024
Merged
@findepi
Copy link
Member

findepi commented Jun 13, 2024

i'd like to have dependabot for normal dependencies even more than for actions.
That's because we don't ship action code, but we do ship the dependencies. Currently the whole burden is carried by @wendigo , but that feels unfair.

@nineinchnick
Copy link
Member Author

nineinchnick commented Jun 13, 2024

I agree we should be using Dependabot instead of checking updates manually, but we need to configure it with access to secrets, so only an admin can do this.

@findepi
Copy link
Member

findepi commented Jun 13, 2024

I agree we should be using Dependabot instead of checking updates manually, but we need to configure it with access to secrets, so only an admin can do this.

@martint asked me this question -- Does dependabot understand the relationship between trino and airbase?

@nineinchnick do you maybe know?

@nineinchnick
Copy link
Member Author

nineinchnick commented Jun 13, 2024

Does dependabot understand the relationship between trino and airbase?

You mean does it understand parent projects, or the usage of proeprties? Would it be better to discuss this on Slack? It's out of the scope of this PR.

@nineinchnick
Copy link
Member Author

nineinchnick commented Jun 13, 2024

I've been using it in all my third-party Trino plugin repositories, check out this PR as an example: nineinchnick/trino-git#192

@mosabua
Copy link
Member

mosabua commented Jun 13, 2024

I agree that this will be useful but I am also worried this is going to be noisy. Who is going to take on looking at all the PRs and evaluating them towards merge?

@wendigo
Copy link
Contributor

wendigo commented Jun 13, 2024

@mosabua it's scheduled weekly so shouldn't bring too much noise

@mosabua
Copy link
Member

mosabua commented Jun 13, 2024

@mosabua it's scheduled weekly so shouldn't bring too much noise

Lets hope so .. we can always tweak it as well. We might want to decide how we want to deal with the commit messages .. always squash and merge with rewording?

@wendigo
Copy link
Contributor

wendigo commented Jun 13, 2024

@mosabua let's merge it and see the quality of PR and we can always revert

@mosabua
Copy link
Member

mosabua commented Jun 13, 2024

Also note.. a bunch of this discussion is more about actual dependencies vs just the versions of the github actions .. but I am supportive of both..

mosabua
mosabua approved these changes Jun 13, 2024
View reviewed changes
Copy link
Member

@mosabua mosabua left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed with @wendigo .. ship it.

@wendigo wendigo merged commit a2558e5 into trinodb:master Jun 13, 2024
@github-actions github-actions bot added this to the 450 milestone Jun 13, 2024
@colebow colebow mentioned this pull request Jun 18, 2024
Merged
@nineinchnick nineinchnick deleted the dependabot branch September 26, 2024 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wendigo wendigo wendigo approved these changes

@mosabua mosabua mosabua approved these changes

Assignees

No one assigned

Labels

cla-signed

Milestone

450

Development

Successfully merging this pull request may close these issues.

4 participants

@nineinchnick @findepi @mosabua @wendigo