eclipse.jdt.ls
eclipse.jdt.ls copied to clipboard
eclipse-jdtls
make use of GitHub functions for library update and security analysis
Is it possible to make use of some standard functions to check dependency updates and security issues?
The codeql-analysis seems nearly identical to what we do in https://github.com/eclipse/lemminx/blob/master/.github/workflows/codeql-analysis.yml , so should be fine. What does the dependabot config provide that's different from https://github.com/eclipse/eclipse.jdt.ls/issues?q=dependabot that I assume is configured on the repository ? CC'ing @fbricon in case he may know.
The codeql-analysis seems nearly identical to what we do in https://github.com/eclipse/lemminx/blob/master/.github/workflows/codeql-analysis.yml , so should be fine. What does the dependabot config provide that's different from https://github.com/eclipse/eclipse.jdt.ls/issues?q=dependabot that I assume is configured on the repository ? CC'ing @fbricon in case he may know.
After I activated it in my fork the pull requests for update of external dependencies have been created automatically. Many dependencies are outdated so I assumed it was not or not completely configured.
See https://github.com/carstenartur/eclipse.jdt.ls
@fbricon , I don't see the repo-level settings for JDT-LS. Do we have some dependabot app running there currently that does some very specific dependency updates ? We did in the past, so I wouldn't mind restoring this through GH actions.
Looks pretty good to me. However, I noticed the following PRs when I tried this against my local fork : https://github.com/rgrunber/eclipse.jdt.ls/pulls . Is there any way to exclude a folder from the computation ? Last I checked it was only possible to exclude artifacts by GAV. If that's our only option currently, I think we should just exclude the junit artifact since we aren't depending on it directly.
Others have disabled the feature due to noise from the testing folders.