Update Dependabot to ignore patch updates #271
Conversation
There was a problem hiding this comment.
PR Overview
This PR updates the Dependabot configuration to reduce noise by ignoring patch updates for dependencies and to streamline reviews by automatically assigning a reviewer.
- Adds a reviewers list with "jbangelo"
- Introduces a general ignore rule for patch updates across all dependencies
- Retains specific pinned version rules for vergen and skips a specific version of curl
Reviewed Changes
| File | Description |
|---|---|
| .github/dependabot.yml | Updated configuration to reduce patch update noise and assign reviewers |
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
There was a problem hiding this comment.
I hear where you are coming from but this is a little heavy handed in your approach.
at the very least dependabot knows security updates vs patch and we should allow those. I also think it is nice to group updates to avoid spam. I found this setting works well for my rust repos:
---
version: 2
updates:
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "daily"
groups:
minor-and-patch:
applies-to: version-updates
update-types:
- patch
- minor
security-updates:
applies-to: security-updates
update-types:
- patch
- minor
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
| - dependency-name: curl | ||
| versions: | ||
| - 0.4.36 | ||
| # Ignore patch updates for all | ||
| - dependency-name: "*" | ||
| update-types: ["version-update:semver-patch"] |
There was a problem hiding this comment.
actually this already only affects version-updates. sorry for being trigger happy with changes requested. I think it makes sense to group instead of disabling if you are worried about git log spam but this is fine as is if you are happy with it.
There was a problem hiding this comment.
Maybe doing less often checks in addition to grouping them together would be the right path forward?
There was a problem hiding this comment.
@jbangelo that's what I would recommend, but i don't feel strongly about it. You don't have to merge the PRs in right away and dependabot will just add new ones to the group, so i don't find the daily checks too annoying, i just merge them in like once every couple weeks
|
fyi there isn't really a good reason to keep vergen pinned at version three, other than the breaking change is confusing to fix. Luckily i did that for other rust tools awhile back, and I updated ntripping to the latest vergen version in line with other rust tools we have: #272 |
Changed out me for the @swift-nav/open-source group, just had to make sure we had added that team to this repo. |
We tend to get a bunch of patch updates to dependencies , which can create a lot of pointless noise in the commit history. Since we have security scans enabled, it should be fine to skip over patch updates until we see encounter a bug that requires an update.
This also adds a reviewer to the Dependabot PRs, so that we can get them reviewed and merged in a timely fashion.