runc icon indicating copy to clipboard operation
runc copied to clipboard
verified publisher icon opencontainers

[rfc] switch from dependabot to renovate?

Open cyphar opened this issue 1 year ago • 3 comments

On the private repo, dependapot produces a lot of spam (so much so that there are stores in https://github.com/dependabot/dependabot-core/issues/2804 of it exhausting the billing cap of an organisation). They have added a mitigation for forks, but for a private copy that won't help us.

Some folks mentioned that renovate doesn't have this issue. Maybe we should look into whether switching is worth it or not?

For the meantime, I have the following saved reply which I've used for all of the spam PRs, which hopefully will reduce the spam:

@dependabot ignore this dependency

Closing because this is a fork and we do not want dependency update spam here.

###### This a dependabot issue: `https://github.com/dependabot/dependabot-core/issues/2804`

cyphar avatar Jul 09 '24 02:07 cyphar

The runc-private seems to be a copy of the repo, so not a fork nor anything. Can't we just disable dependabot there? I can't see why we can't have a different configuration on a completely different repo.

It seems to be disabled now, btw. Maybe you did that?

rata avatar Jul 10 '24 14:07 rata

You can't make private forks, so we had to make a copy.

AFAICS you can't disable dependabot if there is a config file in the repo. At the bottom of dependabot/dependabot-core#2804 they mention that they are considering expanding the ability to disable dependabot for non-forks, but at the moment you can't disable it AFAICS (there's no disable button in the settings panel for dependabot/security scanners).

I use a saved reply to mass-disable dependabot notifications for individual dependencies (for all of the PRs it had opened), but that doesn't mean it won't ping for a different dependency in the future.

cyphar avatar Jul 11 '24 12:07 cyphar

Oh, thanks. It seems if we let it rot for 90 days, it should auto-stop: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates

And it is the same for version updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates

I wonder if that would do the trick for us?

I'm not against switching to renovate, but I haven't done any due diligence to know we can trust them.

rata avatar Jul 11 '24 16:07 rata

I don't think this is really necessary, I ended up closing most of the dependabot issues.

cyphar avatar Oct 23 '24 11:10 cyphar