jamulus icon indicating copy to clipboard operation
jamulus copied to clipboard
verified publisher icon jamulussoftware

Github: Enable dependabot for workflow dependencies

Open hoffie opened this issue 3 years ago • 4 comments

Short description of changes

This PR enables Github's dependabot for Github Action Workflows. Example PRs:

  • https://github.com/hoffie/jamulus/pull/93
  • https://github.com/hoffie/jamulus/pull/94
  • https://github.com/hoffie/jamulus/pull/95
  • https://github.com/hoffie/jamulus/pull/96

CHANGELOG: SKIP

Context: Fixes an issue?

Related: #2346

Does this change need documentation? What needs to be documented and how?

No, the PRs are self-documented.

Status of this Pull Request

Ready for review.

What is missing until this pull request can be merged?

  • [ ] Reviews
  • [ ] Right after merge whe should check the dependabot page if everything looks good: https://github.com/jamulussoftware/jamulus/settings/security_analysis (especially Dependabot version updates)

Checklist

  • [x] I've verified that this Pull Request follows the general code principles
  • [x] I tested my code and it does what I want
  • [x] My code follows the style guide
  • [x] I waited some time after this Pull Request was opened and all GitHub checks completed without errors.
  • [x] I've filled all the content above

hoffie avatar Aug 12 '22 12:08 hoffie

Thanks. There doesn't seem to be much with it?

ann0see avatar Aug 12 '22 20:08 ann0see

The strange thing is that the CI failed on your PRs...

Edit: you probably stopped it.

ann0see avatar Aug 12 '22 20:08 ann0see

Don't you think this PR should be documented as Internal in the changelog?

ann0see avatar Aug 12 '22 20:08 ann0see

Thanks. There doesn't seem to be much with it?

Well, I've only enabled it for github-actions for now as I don't see any other matches. It seem to be really targeted at certain build environments (npm, go, ...) which perform dependency management. For github-actions, it does what it should. The config is really basic and I think that's fine.

Edit: you probably stopped it.

Yes. I've run lots of CI tests today and had to stop all those autobuild PRs at some point in order to get free slots for further tests. :)

Don't you think this PR should be documented as Internal in the changelog?

Not sure. I think we don't have a guideline regarding that yet. This PR does not change the released artifacts in any way, so I thought I'd skip the CHANGELOG.

hoffie avatar Aug 12 '22 21:08 hoffie

I'd still like to have a changelog entry (maybe for all of these PRs squashed): Internal: Enabled automated dependency updates via dependabot and custom script

ann0see avatar Aug 16 '22 17:08 ann0see

I've added an identical changelog entry for this PR and #2777. I've opened #2788 for the discussion about CHANGELOG-worthiness.

hoffie avatar Aug 19 '22 08:08 hoffie