Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependabot #2025

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add dependabot #2025

wants to merge 1 commit into from

Conversation

mrueg
Copy link
Contributor

@mrueg mrueg commented Dec 3, 2024

What type of PR is this?

  • feature

What this PR does / why we need it:

Adds a dependabot configuration for automated dependency and github workflow updates.

Which issue(s) this PR fixes:

None, let me know if I need to create one first.

@mrueg mrueg requested a review from a team as a code owner December 3, 2024 09:54
Juneezee
Juneezee approved these changes Dec 3, 2024
View reviewed changes
Copy link
Member

@Juneezee Juneezee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

yassinebenaid
yassinebenaid approved these changes Dec 3, 2024
View reviewed changes
Copy link
Member

@yassinebenaid yassinebenaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bartekpacia
Copy link
Member

Honestly, I don't see a need for it. I always find dependabots warnings to be annoying and not useful.

Also, this module has no dependencies (aside from some utilities for testing), and we aim to keep it this way.

I'm against.

@abitrolly
Copy link
Contributor

-1 on dependabot too. It pollutes search results with irrelevant hits, and mailbox with too much noise.

@mrueg
Copy link
Contributor Author

mrueg commented Dec 3, 2024
edited
Loading

If spam is a concern, we can limit the number of PRs it's opening.
As the project has only few dependencies, dependabot will likely open one PR/month.

It also ensures that the github workflows are using their latest actions, which I think is a benefit to ensure that the work flow stays working and eventually saves you from spending time on upgrading it yourselves.

@bartekpacia
Copy link
Member

We don't have many GitHub Actions workflow files, and we only use first-party actions from GitHub, and as of now, they're all on the latest version.

Thank you for this PR and I appreciate enthusiasm, but I'm still against (just my opinion. I'm curious what other maintainers think).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yassinebenaid yassinebenaid yassinebenaid approved these changes

@Juneezee Juneezee Juneezee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mrueg @bartekpacia @abitrolly @Juneezee @yassinebenaid