Enable dependabot for most dependencies #10370
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The idea is that we'd merge updates in the "build-dependencies" group as-is, without a Jira issue. **We would still have to adjust/re-create other update PRs** (such as Jandex) to assign them a Jira issue. We could consider limiting the dependencies covered by dependabot, but I find that grouping, at least, allows a fairly manageable rate of dependabot PRs. Runtime dependency updates should be more rare anyway, as their number is limited and they're generally less active (e.g. Jakarta Persistence doesn't release a micro every week). The most important ones are the runtime ones, e.g. bytebuddy, so we could consider ignoring/limiting build dependency updates if necessary.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Opening this for discussion. I'm absolutely certain we'll want to fine-tune the configuration to avoid some automatic updates, so feel free to suggest whatever makes sense to you.
The most important dependencies to update are the runtime ones, e.g. bytebuddy, which we've failed to update consistently, resulting in delayed support for newer JDK. My hope is that dependabot will address that problem.
The idea is that we'd merge updates in the "build-dependencies" group as-is, without a Jira issue.
We would still have to adjust/re-create other update PRs (such as Jandex) to assign them a Jira issue. We could consider limiting the dependencies covered by dependabot, but I find that grouping, at least, allows a fairly manageable rate of dependabot PRs. Runtime dependency updates should be more rare anyway, as their number is limited and they're generally less active (e.g. Jakarta Persistence doesn't release a micro every week).
If we merged this PR right now, we would get something like this, to catch up with updates that we forgot to do:
See my fork for details for these PRs: https://github.com/yrodiere/hibernate-orm/pulls/app%2Fdependabot
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license
and can be relicensed under the terms of the LGPL v2.1 license in the future at the maintainers' discretion.
For more information on licensing, please check here.