Remove restrictions on Dependabot GitHub Actions update
Closed this issue · 2 comments
There is a discussion under #509 (comment) about if the current restrictions on Dependabot updates for GitHub Actions should be loosened. At the moment the current settings
madminer/.github/dependabot.yml
Lines 5 to 12 in 03cd67b
allow only one action
madminer/.github/workflows/publish.yml
Line 42 in 03cd67b
can ever be updated by Dependabot.
At the moment the restrictions invalidate the usefulness of the updater. There is no practical argument to keep them in my mind as GitHub Actions already do not make any promise of true SemVer and most of Scikit-HEP uses the updater with no negative consequences.
I already expressed my concerns about turning on GHA Actions major releases auto-creation of PRs.
Given the number of repositories some of us have Dependabot PRs turned on, we prefer to keep their automatic creation to those we can immediately act on (following SerVer best intent: minor and patch bumping ones). Therefore, avoiding been notified about every major release through a PR requiring us to perform some CHANGELOG investigation. People may prefer to deal with those in a manual fashion, whenever they have the bandwidth. This is the way I prefer too.
As a last point: Dependabot should not be used as a notification system. If you would like to get notified on GHA Action version bumps, go ahead and tune your Custom Notifications for the Actions you use.
Finally, I already stated in comment #509 (comment) that I am happy to be responsible for GHA Actions major version bumps until a new maintainer is "officially" appointed. There is no need to revisit this topic in the near future.
Okay, SGTM.
As a last point: Dependabot should not be used as a notification system. If you would like to get notified on GHA Action version bumps, go ahead and tune your Custom Notifications for the Actions you use.
Why do you say this though? This seems like a matter of personal choice. Am I missing a technical aspect?