We don't have a default/consistent dependabot config across repos
danswann opened this issue · 9 comments
Problem
Dependabot's automatic security fixes, and additional features like automatic package bumps, can be configured in .github/dependabot.yml.
We don't have a consistent policy in the organization for how to configure dependabot. I propose we create a "default policy" that can be overridden as necessary by repo-local configuration (similar to how we currently handle CONTRIBUTING.md).
Context
A quick search was inconclusive on whether dependabot.yml will be globally respected if put into this special .github repo, or if this only works for issue/PR/etc. templates.
In the latter case, we should still probably come up with a "default policy" that is manually set by those responsible for repo creation / configuration.
TODO
- In organization settings: enable dependabot security updates for all existing and new repos
Agreed on this. At minimum, we should have our template file in the .github repository
Looks like this might be less useful than I thought.
The things I was hoping to configure globally (how frequently he checks for package updates, how he groups his PRs, which branch he should target) cannot be configured without first specifying a package ecosystem.
Since not all of our repositories use the same package system, this is basically impossible. We could write a crazy long one that accounts for all our current package managers, but I'm not sure that would work. And we'd have to handle edge cases like how the Go manifest for the discord bot is in a subdirectory.
The repository must also contain a dependency manifest or lock file for each of these package managers.
It's not clear whether this means it will no-op for repos that don't use a given manager, or it will fail completely.
It's likely we'll get the most out of dependabot by just configuring it per-repository.
One thing we can do globally is enable dependabot's security updates/PRs by default for all existing and future repos belonging to the @comcode-org organization. See here.
Agreed on this. At minimum, we should have our template file in the .github repository
@seanmakesgames In light of the above limitations, do you think I should just make a dependabot_template.yml file that can be used as a reference for repo-specific implementations? Or scrap this entirely and just open issues on the other repos?
One thing we can do globally is enable dependabot's security updates/PRs by default for all existing and future repos belonging to the https://github.com/comcode-org organization. See here.
Yes. Can you add this as a line item todo in this issue?
@seanmakesgames In light of the above limitations, do you think I should just make a dependabot_template.yml file that can be used as a reference for repo-specific implementations? Or scrap this entirely and just open issues on the other repos?
hmm. I think by turning it on by default, we will start to get PRs opened by it w/ its default settings. Whatever it ends up doing, we'll learn what needs to change in the individual repos. I don't think we need to write issues on repos if we just turn it on for them, that should be good enough to create the inertia.
Yes. Can you add this as a line item todo in this issue?
Done.
hmm. I think by turning it on by default, we will start to get PRs opened by it w/ its default settings.
This is true for security-related updates, but not regular version updates. If we want automatic version bumps we probably have to go repo-local, because e.g. setting up a file in this .github repo for the npm ecosystem will either have no effect on hackmudclient, discord, etc. or outright break.
Thanks!
This is true for security-related updates, but not regular version updates. If we want automatic version bumps we probably have to go repo-local, because e.g. setting up a file in this .github repo for the npm ecosystem will either have no effect on hackmudclient, discord, etc. or outright break.
Alright. I think we should just get started with the wiki repo re: auto updates. (make an issue) We'll build this out across repos as we go. We'll call this particular item good with turning on security updates across repos.
@seanmakesgames has there been any movement on resolving this? To me the reduced... action surface(?) looks like it should be fairly simple to do.
I've gone through and updated things and set defaults.