devicons
ci(dependencies): add dependabot config
Double check these details before you open a PR
- [x] PR does not match another non-stale PR currently opened
Features
This PR adds a dependabot configuration to automatically update dependencies. It will automatically create PRs for outdated dependencies of the following types.
- github actions
- npm (all dev dependencies will be grouped into a single PR)
- python/pip (this normally works for
requirements*.txtfiles even in subfolders, but I don't know if will work in the.githubdirectory)
This PR closes NONE
Notes
This will not start working until the file exists on the default branch. Additionally, dependabot will only run the config that exists on the default branch. This is one reason I would suggest making the default branch develop, although there are plenty of other reasons which mostly involve improving the developer experience.
Personally, I set my dependabot config to run daily, but that may be too overwhelming/annoying for this repo, so I changed it to weekly.
For more dependabot config options, here is the official documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
Dependabot is nice to have, but I don't think we should merge this before we get trunk based branching. As it is now it's too much hassle to check if updated dependencies work as expected, and we don't have proper automated tests in order to confidently merge without manually testing. Once we get rid of the development branch and move to trunk based development, we can reconsider adding dependabot along with some automated tests :)
