wpt.fyi icon indicating copy to clipboard operation
wpt.fyi copied to clipboard

Published 20 hours ago verified publisher icon web-platform-tests

Move all dependency updates to dependabot

Open jcscottiii opened this issue 2 years ago • 0 comments

Remove renovate and use dependabot for go, python and node This is to serve as research

Proposal:

There are some notable differences between renovate and dependabot. If we want to continue with using only dependabot, this is what I would suggest.

  1. Setup dependabot for go, python, node and docker. Make sure it does not auto merge.
  2. Make the deployment step require an approval for dependabot https://docs.github.com/en/actions/managing-workflow-runs/reviewing-deployments
  • Need to verify that it can be limited at the per bot level

More notes down below

Warnings

There are some differences between dependabot and renovate: There are things renovate can do that dependabot can't do:

  1. Run npm dedupe to keep the lock files pretty clean. Notes
  2. Group updates together https://github.com/github/roadmap/issues/148

Extra work needed specifically for dependabot

  1. Auto merging is possible but extra work needs to be done. Notes
  • I don't think auto merging is a good idea.
  1. Need to create a GCLOUD_KEY_FILE_JSON secret specifically for dependabot to use. Make sure it has the necessary scopes and no more.

Misc notes

  • For go dependencies - It does indded run go mody tidy. (which is absolutely necessary) Notes
  • Dependabot has a docker updater too. We should use that.

Description

TODO

Review Information

TODO

Changes

TODO

Requirements

TODO

jcscottiii avatar Aug 26 '22 21:08 jcscottiii