Keep GitHub Actions up to date with GitHub's Dependabot #2401
Conversation
.github/dependabot.yml
Outdated
| patterns: | ||
| - "*" # Group all Actions updates into a single larger pull request | ||
| schedule: | ||
| interval: weekly |
There was a problem hiding this comment.
Monthly is less noisy:
| interval: weekly | |
| interval: monthly |
There was a problem hiding this comment.
It has been three weeks...
GitHub Actions have very infrequent major version changes. For instance, setup-python has only had four major upgrades in its lifetime. Also, when they are upgraded, it often happens in batches. The pattern: * will consolidate all GHA updates into a single pull request to further reduce chattiness.
There is a tradeoff between supply chain security and chattiness. Given that we have a few GHAs that are updated rarely and usually in batches and we are using pattern: * to ensure that there will only ever be a single GHA upgrade PR at a time, my recommendation would have been to kick off this process in weekly mode. It is trivial to switch to monthly mode if we sense it becomes chatty. I doubt that it will.
There was a problem hiding this comment.
Perhaps the pattern: * approach should be used on the pip dependencies which are far more chatty than the GHA updates could ever be. https://github.com/python/pythondotorg/pulls/app%2Fdependabot
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
This could have been automated in * python#2401 * https://github.com/actions/checkout/releases * https://github.com/actions/setup-python/releases * https://github.com/actions/cache/releases
This could have been automated in * #2401 * https://github.com/actions/checkout/releases * https://github.com/actions/setup-python/releases * https://github.com/actions/cache/releases Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Generates pull requests like mymarilyn/clickhouse-driver#423 to fix warnings like at the bottom right of
https://github.com/python/pythondotorg/actions/runs/8235999706
Fixes #2424