Too frequent unsubstantial patch releases

[infinisil]

The new v1.11.x series of patch releases seems to be almost fully automated:

• @dependabot creates automated PRs to update dependencies
• @gr2m merges it
• @semantic-release-bot creates an automated release

This has lead to 6 patch releases within 2.5 months, without any substantial changes.

The problem with that is that dependabot then also creates automated PRs in all repos that depend on create-github-app-token. As a reviewed of such PRs, I feel like this is a waste of human attention. Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.

Suggestion

Automated releases should only happen if there's any substantial updates included, which dependency updates are not.

[gr2m]

Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.

Exactly.

Automated releases should only happen if there's any substantial updates included, which dependency updates are not.

Unless there are security updates. Which is not always easy to tell. You can configure the frequency of how often you want to receive updates from dependabot based on your preferences. We follow best practices by making sure our software is safe and uses the latest versions of its dependencies

Also you should be able to just use actions/create-github-app-token@v1 and disable all updates except for breaking changes, and you will automatically get the latest version, that's whey wi do have the vX release branches.

[infinisil]

Upon closer inspection, the latest update does include a security update (#210 -> https://github.com/octokit/auth-app.js/releases/tag/v7.1.5 -> octokit/auth-app.js#678 -> https://github.com/octokit/request-error.js/releases/tag/v6.1.7). So, point taken 😅