chore: add dependabot-sync action
#191
Conversation
| - package-ecosystem: "docker" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| day: "monday" | ||
| time: "05:00" | ||
| timezone: "America/New_York" | ||
| labels: | ||
| - "dependencies" | ||
| commit-message: | ||
| prefix: "feat" | ||
| include: "scope" |
There was a problem hiding this comment.
I noticed some repositories that do not have a Dockerfile included a config to keep Docker up-to-date (the file was probably just copy-and-pasted at the time). This means that this is a no-op action if a Dockerfile is not available.
I decided to use it in our favor and have it by default, even if many repos do not have Dockerfiles. This allows us to have less specific config files as the base work for more repos.
There was a problem hiding this comment.
I would just keep one dependabot.yml file and consolidate all of them, wdyt @andreynering ?
|
@aymanbagabas Some repos really have different rules. For example, an additional |
|
Another thing... the |
andreynering
force-pushed
the
add-dependabot-sync-action
branch
from
59c77dd to
0f0c579
Compare
| DEPENDABOT_FILE="${{ github.repository_owner }}/meta/dependabot/dependabot-${{ github.event.repository.name }}.yml" | ||
| if [ ! -f $DEPENDABOT_FILE ]; then | ||
| DEPENDABOT_FILE="${{ github.repository_owner }}/meta/dependabot/dependabot.yml" | ||
| fi |
There was a problem hiding this comment.
To keep files short and concise, we can have the repository specific settings stored in dependabot-repo.yml, then they get concatenated here. wdyt?
| DEPENDABOT_FILE="${{ github.repository_owner }}/meta/dependabot/dependabot-${{ github.event.repository.name }}.yml" | |
| if [ ! -f $DEPENDABOT_FILE ]; then | |
| DEPENDABOT_FILE="${{ github.repository_owner }}/meta/dependabot/dependabot.yml" | |
| fi | |
| cat "${{ github.repository_owner }}/meta/dependabot/dependabot.yml" > "${{ github.repository }}/dependabot.yml" | |
| DEPENDABOT_FILE="${{ github.repository_owner }}/meta/dependabot/dependabot-${{ github.event.repository.name }}.yml" | |
| if [ -f "$DEPENDABOT_FILE" ]; then | |
| cat "$DEPENDABOT_FILE" >> "${{ github.repository }}/dependabot.yml" | |
| fi |
There was a problem hiding this comment.
There would be at least three exceptions. These repos don't have any Go code, so they have config for GHA and/or npm only.
dependabot/dependabot-nur.ymldependabot/dependabot-vhs-action.ymldependabot/dependabot-soft-serve-action.yml
There was a problem hiding this comment.
Sure, in that case, since they don't have a go.mod file, dependabot will just skip that part, right? If so I think that's fine, especially if it will reduce the overhead and maintenance in the future.
There was a problem hiding this comment.
I'm not sure if the step will skip if go.mod is missing, but Okay, let's try that! We'll just need to adjust if it don't work as expected.
I'd say let's keep |
| @@ -0,0 +1,45 @@ | |||
| name: dependabot-sync | |||
| on: | |||
| workflow_call: | |||
There was a problem hiding this comment.
could use inputs here so the caller sets the filename, then we don't need that shell script
example:
meta/.github/workflows/soft-serve.yml
Line 7 in 30584a8
There was a problem hiding this comment.
It would be cool to be able to call this workflow from the GitHub webUI, specify a repo, and run the workflow for it to do the work, copy the config and open a PR in the given repo. Same goes for lint-sync
There was a problem hiding this comment.
Sounds good. That got me the idea that this workflow could also copy the actual workflow file to the repo, so I don't have to open manual PRs for each repo. 🙂
Similar to the existing
lint-sync, this will be references on our repos and make it easier to manage Dependabot config from now on.