From c0c77650267b658c3b8b7be6f7099110079f985a Mon Sep 17 00:00:00 2001 From: Chris Roos Date: Thu, 16 Nov 2023 16:04:03 +0000 Subject: [PATCH] Configure Dependabot to update all RubyGems By default Dependabot only monitors direct dependencies (those specified in the Gemfile) for updates. It appears to use `bundle update ` under the hood, which means that a Dependabot PR to update can also include updates to sub-dependencies. This makes it harder to review because the PR will only include the Changelog of and not of the sub-dependencies. My hope is that by configuring Dependabot to monitor direct and indirect (sub) dependencies[1] we'll end up with more, smaller/easier to review, PRs. I think the same change[2] has been working reasonably well in Signon and thought it was worth bringing gds-sso into line. [1]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow [2]: https://github.com/alphagov/signon/pull/2382 --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0b660fe..e4d0624 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: daily + allow: + - dependency-type: "all" - package-ecosystem: "github-actions" directory: "/" schedule: