Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#54503 closed feature request (fixed)

Configure Dependabot alerts for when GitHub Actions updates are available

Reported by: desrosj's profile desrosj Owned by: desrosj's profile desrosj
Milestone: 5.9 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: has-patch
Focuses: Cc:

Description

The GitHub Dependabot can be configured to monitor GitHub Actions for updates. This is useful because it avoids having to manually check every action in use within workflow files.

This should be configured so that maintenance of these workflow files is easier.

Attachments (1)

Screen Shot 2022-09-01 at 10.25.54.png (66.7 KB) - added by desrosj 2 years ago.

Download all attachments as: .zip

Change History (9)

#1 @desrosj
3 years ago

  • Owner set to desrosj
  • Resolution set to fixed
  • Status changed from new to closed

In 52241:

Build/Test Tools: Configure Dependabot scanning for GitHub Actions.

This eliminates the need to manually check all GitHub Actions used within workflow files for updates.

Fixes #54503.

This ticket was mentioned in Slack in #core by sergey. View the logs.


3 years ago

#3 follow-up: @jrf
2 years ago

FYI: for anyone who had "old" forks of this repo and have in the mean time updated the default branch in their fork from master to trunk, this config means that PRs will be opened to those forks as well.

As far I can see, there is currently no way to disable this for a fork, other than possibly switching to renovate-bot instead.

Version 1, edited 2 years ago by jrf (previous) (next) (diff)

#4 follow-up: @desrosj
2 years ago

Thanks for pointing this out!

I was also surprised to see this happening on my fork. One of the reasons I made this change was that the documentation states that "if you want to enable version updates on forks, there's an extra step" (source).

It's definitely annoying, but I wonder how many forks of wordpress-develop out of the 1,400 currently are "old" and subject to this. Personally, I would prefer to stick with the native GH Dependabot if possible. If more people start raising this concern, we can open a new ticket to discuss switching. For now, I'll see about reaching out to GitHub DevRel folks and starting a discussion around this one.

#5 @desrosj
2 years ago

Just wanted to confirm that new forks will have the correct behavior and require them to be manually activated.

#6 in reply to: ↑ 4 @jrf
2 years ago

Replying to desrosj:

It's definitely annoying, but I wonder how many forks of wordpress-develop out of the 1,400 currently are "old" and subject to this.

Honestly not sure, but AFAICS it only starts happening if they renamed the main branch of their fork to trunk and keep that branch up to date (or at least updated it to beyond the commit which included the Dependabot config).

Personally, I would prefer to stick with the native GH Dependabot if possible.

Understood. Salient detail: Microsoft repos on GH all use Renovate ;-)

If more people start raising this concern, we can open a new ticket to discuss switching. For now, I'll see about reaching out to GitHub DevRel folks and starting a discussion around this one.

👍🏻

Just wanted to confirm that new forks will have the correct behavior and require them to be manually activated.

Yes, IIRC the default behaviour for forks changed about a year ago, but old forks still can't turn it off.

#7 in reply to: ↑ 3 @desrosj
2 years ago

Replying to jrf:

FYI: for anyone who had "old" forks of this repo and have in the mean time updated the default branch in their fork from master to trunk, this config means that PRs will be opened to those forks as well.

As far I can see, there is currently no way to disable this for a fork, other than possibly switching to renovate-bot instead.

To follow up on this, GitHub pushed a feature today that allows more granular control of Dependabot behavior on forks: https://github.blog/changelog/2022-11-07-dependabot-pull-requests-off-by-default-for-forks/. I was able to disable Dependabot version updates manually on my fork using this.

#8 @jrf
2 years ago

Thanks @desrosj ! I've turned it off on my fork now as well. Keeping my fingers crossed it works as advertised ;-)

Note: See TracTickets for help on using tickets.