Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Too frequent unsubstantial patch releases #211

Closed
infinisil opened this issue Mar 3, 2025 · 2 comments
Closed

Too frequent unsubstantial patch releases #211

infinisil opened this issue Mar 3, 2025 · 2 comments

Comments

@infinisil
Copy link

The new v1.11.x series of patch releases seems to be almost fully automated:

This has lead to 6 patch releases within 2.5 months, without any substantial changes.

The problem with that is that dependabot then also creates automated PRs in all repos that depend on create-github-app-token. As a reviewed of such PRs, I feel like this is a waste of human attention. Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.

Suggestion

Automated releases should only happen if there's any substantial updates included, which dependency updates are not.

@gr2m
Copy link
Contributor

gr2m commented Mar 3, 2025

Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.

Exactly.

Automated releases should only happen if there's any substantial updates included, which dependency updates are not.

Unless there are security updates. Which is not always easy to tell. You can configure the frequency of how often you want to receive updates from dependabot based on your preferences. We follow best practices by making sure our software is safe and uses the latest versions of its dependencies

Also you should be able to just use actions/create-github-app-token@v1 and disable all updates except for breaking changes, and you will automatically get the latest version, that's whey wi do have the vX release branches.

@gr2m gr2m closed this as completed Mar 3, 2025
@infinisil
Copy link
Author

Upon closer inspection, the latest update does include a security update (#210 -> https://github.com/octokit/auth-app.js/releases/tag/v7.1.5 -> octokit/auth-app.js#678 -> https://github.com/octokit/request-error.js/releases/tag/v6.1.7). So, point taken 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants