Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable Dependabot after Renovate trial run #18139

Closed
cevich opened this issue Apr 10, 2023 · 5 comments · Fixed by #18524
Closed

Disable Dependabot after Renovate trial run #18139

cevich opened this issue Apr 10, 2023 · 5 comments · Fixed by #18524
Assignees
@cevich
Labels
kind/cleanup Categorizes issue or PR as related to cleanup. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@cevich
Copy link
Member

cevich commented Apr 10, 2023

Feature request description

This repository is migrating over to Renovate for dependency/security automated updates, given it's enhanced configuration/capabilities and centralized management. For the time being, both tools will be enabled so that we may catch any "missing" update problems.

Suggest potential solution

After 30-ish days, the .github/dependabot.yml file should be removed and Dependabot disabled in the repo. settings.

Have you considered any alternatives?

Renovate is the alternative

Additional context

No response
@cevich cevich added kind/cleanup Categorizes issue or PR as related to cleanup. kind/feature Categorizes issue or PR as related to a new feature. labels Apr 10, 2023
@cevich cevich self-assigned this Apr 10, 2023
@Luap99
Copy link
Member

Luap99 commented Apr 11, 2023

copying from #18044 (comment)
The test/tools/go.mod is not covered AFAICT.

Also renovate PRs should set the release-note-none label

podman/.github/dependabot.yml

Line 8 in 6f2a61a

- "release-note-none"

@cevich
Copy link
Member Author

cevich commented Apr 11, 2023

Good catch @Luap99

I believe the default ignore list includes test. Let me see how best to override that.

This was referenced Apr 11, 2023
Merged
Merged
@Luap99
Copy link
Member

Luap99 commented Apr 21, 2023

Renovate seems to propose updates for retracted releases, #18296
Is there any setting to turn that off?

cevich added a commit to cevich/automation that referenced this issue Apr 21, 2023
@cevich
Remove golang rollback PRs workaround
1182675 
The original discussion about this has been closed.  At the time, I
believe I remember seeing a bugfix go through in the renovate
change-logs.  In any case, it seems [rollback PRs are not working
correctly](containers/podman#18139 (comment)).
Remove the workaround and enable rollbackPRs by default for golang.

Signed-off-by: Chris Evich <[email protected]>
@cevich cevich mentioned this issue Apr 21, 2023
Merged
@cevich
Copy link
Member Author

cevich commented Apr 21, 2023

Thanks @Luap99 IIRC there was an issue fixed WRT rollback PRs but I still have a workaround in the default configuration. I'll remove that, but my memory is far from perfect, so please let me know if the problem keeps happening or gets worse.

Opened containers/automation#134

@cevich
Copy link
Member Author

cevich commented Apr 26, 2023

Just following up on the rollbackPrs mess I made. @Luap99 I ran into this issue previously and was hoping it was resolved, clearly it's still broken. So these will need to be handled manually, one-by-one for now 😞

That said, if there's a dep. that keeps popping up as broken, there's another way we can hard-code versions to be ignored. Though closing the update PR is acceptable as well, the configuration change will guarantee it's never proposed anywhere.

cevich added a commit to cevich/podman that referenced this issue May 9, 2023
@cevich
[CI:DOCS] Disable Dependabot in favor of Renovate
2d8929d 
Fixes: containers#18139

Removing the Dependabot configuration file is a required prerequisite to
stopping it from opening update PRs.  Once this commit is merged, the
`Dependabot security updates` repo. setting may also be disabled.  Note:
The `Dependabot alerts` setting should remain enabled, this provides
security-data to renovate for opening important vulnerability fix PRs.

Signed-off-by: Chris Evich <[email protected]>
@cevich cevich mentioned this issue May 9, 2023
Merged
@containers containers locked as resolved and limited conversation to collaborators Jun 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cevich cevich

Labels
kind/cleanup Categorizes issue or PR as related to cleanup. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[CI:DOCS] Disable Dependabot in favor of Renovate cevich/podman
2 participants
@cevich @Luap99