Less frequent, and grouped dependabot updates #1271
Conversation
Monthly may seem like an excaggeration, but our only real dependency is OPA, and we update that anyway. The rest are just peripheral anyway, and security related updates will be suggested immediately regardless. Signed-off-by: Anders Eknert <[email protected]>
|
One disadvantage of groups is that you cannot ignore them through interacting with github PRs: If it opens a PR for yadda, and for some reason you don't want to bump yadda, and you close the PR, dependabot will tell you that "because it's a group, I cannot do anything" and will re-open the same PR on the next schedule. Without the group, closing the PR would make dependabot ignore that particular version. Just a small annoyance I wanted to share 😅 |
|
That's good to know! I don't think we've had any updates that we've not wanted so far, but if that becomes annoying, yeah, let's ditch groups. I want them mainly to avoid having to wait for each PR to be rebuilt after on is merged. |
|
Agreed, the main pain is the rebase time, not the unwanted GHA updates as things are today. |
Monthly may seem like an excaggeration, but our only real dependency is OPA, and we update that ourselves anyway. The rest are just peripheral, and security related updates will be suggested immediately regardless.