Skip to content

Commit

Permalink
Configure Dependabot to update all RubyGems
Browse files Browse the repository at this point in the history 
By default Dependabot only monitors direct dependencies (those specified
in the Gemfile) for updates. It appears to use `bundle update
<dependency>` under the hood, which means that a Dependabot PR to update
<dependency> can also include updates to sub-dependencies. This makes it
harder to review because the PR will only include the Changelog of
<dependency> and not of the sub-dependencies.

My hope is that by configuring Dependabot to monitor direct and indirect
(sub) dependencies[1] we'll end up with more, smaller/easier to review,
PRs.

I think the same change[2] has been working reasonably well in Signon
and thought it was worth bringing gds-sso into line.

[1]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow
[2]: alphagov/signon#2382
  • Loading branch information
@chrisroos
chrisroos committed Nov 16, 2023
1 parent 3aa846d commit c0c7765
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ updates:
directory: "/"
schedule:
interval: daily
allow:
- dependency-type: "all"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
Expand Down

0 comments on commit c0c7765

Please sign in to comment.