github-action-merge-dependabot icon indicating copy to clipboard operation
github-action-merge-dependabot copied to clipboard

Published 20 hours ago verified publisher icon fastify

Target minor as default

Open Eomm opened this issue 2 years ago • 3 comments

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the feature has not already been requested

🚀 Feature Proposal

Starting from this issue:

  • https://github.com/nearform/brokeneck/pull/177#issuecomment-985618850

The same issue above happened to the fastify's modules as well.

I think the target: minor is a more secure default for users.

Or, we could define target: major per dev-dependancies and target: minor for dependencies.

Motivation

Usually, the merge PRs are overseen and you may release a wrong semver or face some issue that needs investigating a lot.

There was already a comment somewhere that was cons to this change, but I think worth discussing it a bit.

Example

No response

Eomm avatar Dec 07 '21 06:12 Eomm

I do not agree with this proposal because when doing things in the right way, meaning the code is tested, bumping majors is perfectly fine because breakages will be caught by tests. If we were to do this change, we would favor users who are not doing things in the right way and put more burden on users who are (because either they would need to manually merge those PRs or they have to do additional configuration when using the action).

Hence, I think we should prioritize users who are doing things in the right way by keeping "any" as the default.

Also note that minor is not a sensible default in general because for submodule bumps, we don't have any versions (see https://github.com/fastify/github-action-merge-dependabot/issues/95), hence why we recently set it to "any".

simoneb avatar Dec 07 '21 07:12 simoneb

What I see are two usages:

  1. per application: a major is fine as you highlight
  2. per module: a major is not (always) fine because the module may simple be exported to the user, changing the API actually
  3. per major/minor tags the target must be any (https://github.com/fastify/github-action-merge-dependabot/pull/121#issuecomment-988013334)

Do you agree on these two types? I think documenting it would be fine

EDIT: add 3rd option

Eomm avatar Dec 07 '21 09:12 Eomm

I think it makes more sense to put this on hold until there are less things moving around here, post v3

simoneb avatar Dec 07 '21 18:12 simoneb

Sorry for hijacking, but this seemed like a relevant place to ask:

I want to limit the automerging to be minor and patches:

I tried: target: minor || patch But a major update was merged with this setting.

Would using: target: minor also adress that patches would be merged, but not major?

kmthorsnes avatar Oct 05 '23 08:10 kmthorsnes

@kmthorsnes correct, and indeed the docs don't clarify it, but when you set it to minor, anything "less" than minor will be merged. We should probably clarify it in the docs

simoneb avatar Oct 05 '23 08:10 simoneb

That clears things up, great!

Thank you for swift reply 🚤 !

kmthorsnes avatar Oct 05 '23 09:10 kmthorsnes

It would be very useful to be able to define target levels per pattern or group.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates#grouping-dependabot-version-updates-into-one-pull-request

jmullo avatar Oct 11 '23 09:10 jmullo

@jmullo this feels like a different feature request, please open a new one

simoneb avatar Oct 11 '23 09:10 simoneb

I'm going to close this one which has been open for two years. Although somebody will disagree, it's clear that we're not going to do this, therefore no point in keeping it open.

If you want to target minor, use the corresponding action input.

simoneb avatar Oct 11 '23 09:10 simoneb