spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

chore: Included githubactions in the dependabot config

Open naveensrinivasan opened this issue 3 years ago • 5 comments

This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure.

Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot

GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool Signed-off-by: naveen [email protected]

naveensrinivasan avatar Jul 03 '22 01:07 naveensrinivasan

Thanks, @naveensrinivasan. Does this take care of all dependencies? Given this configuration, it's not clear to me how it would know to update the dependencies/spring-security-dependencies.gradle file in its PRs. If it's only going to take care of dependencies listed in build.gradle, for example, I'm don't think this is the solution we want.

Also, I think it would be preferable if this could be configured in Gradle instead of in the .github directory so that the solution isn't specific to GHA.

jzheaux avatar Jul 05 '22 18:07 jzheaux

Thanks, @naveensrinivasan. Does this take care of all dependencies? Given this configuration, it's not clear to me how it would know to update the dependencies/spring-security-dependencies.gradle file in its PRs. If it's only going to take care of dependencies listed in build.gradle, for example, I'm don't think this is the solution we want.

Also, I think it would be preferable if this could be configured in Gradle instead of in the .github directory so that the solution isn't specific to GHA.

This PR is only for GitHub actions. I haven't included others because teams have mixed feelings on dependabot for other ecosystems like Gradle. HTH

naveensrinivasan avatar Jul 05 '22 18:07 naveensrinivasan

Thanks, @naveensrinivasan, that does help. Will this manage dependencies defined in places other than build.gradle? Spring Security's dependencies are defined in dependencies/spring-security-dependencies.gradle. I seem to remember that the Dependabot integration for Gradle has this limitation.

jzheaux avatar Jul 11 '22 23:07 jzheaux

Thanks, @naveensrinivasan, that does help. Will this manage dependencies defined in places other than build.gradle? Spring Security's dependencies are defined in dependencies/spring-security-dependencies.gradle. I seem to remember that the Dependabot integration for Gradle has this limitation.

Yes AFAIK.

naveensrinivasan avatar Jul 12 '22 17:07 naveensrinivasan

Related https://github.com/marketplace/actions/gradle-dependency-submission

jzheaux avatar Aug 18 '22 17:08 jzheaux

@jzheaux I think this can be considered now that we have the dependabot.yml in place for Gradle dependencies.

marcusdacoregio avatar Oct 04 '23 14:10 marcusdacoregio

Closing because of lack of feedback and in favor of https://github.com/spring-projects/spring-security/issues/14298

marcusdacoregio avatar Dec 14 '23 11:12 marcusdacoregio