Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added: Dependabot.yml config #1663

Merged
merged 3 commits into from
Dec 19, 2021
Merged

Added: Dependabot.yml config #1663

merged 3 commits into from
Dec 19, 2021

Conversation

GoliathLabs
Copy link
Contributor

What does this PR do?

This PR adds dependabot. Dependabot will take care of package updates (e.g. go.mod dependency updates, Dockerfile image tag updates and the gh actions used).

Why is it needed?

I think it's quite useful because @42wim doesn't really need to keep an eye on go/docker/gh-actions updates anymore, since Dependabot will create monthly PRs about the new updates of the used components. This will improve the security of the project as dependencies with security holes can be patched quickly.

I would really appreciate feedback on this PR 😄

@42wim
Copy link
Owner

42wim commented Dec 18, 2021

Thanks! 2 questions

  • could you make sure the gomod also does the vendoring?
  • what exactly does the docker dependabot do ? base image security checks?

@GoliathLabs
Copy link
Contributor Author

Thank you for the answer. Dependabot takes care of the vendoring as well (https://github.blog/changelog/2020-10-19-dependabot-go-mod-tidy-and-vendor-support/)

The docker dependabot checks whether a new version of the docker image is released (e.g. a new tag from 1.10.2 to 1.11).

@GoliathLabs
Copy link
Contributor Author

In the meantime, why are we using the matterbridge forks of e.g. Rocket.Chat.SDK, they are just behind the upstream master and I don't see any commits in there that would make using them useful?

@42wim
Copy link
Owner

42wim commented Dec 19, 2021
edited
Loading

In the meantime, why are we using the matterbridge forks of e.g. Rocket.Chat.SDK, they are just behind the upstream master and I don't see any commits in there that would make using them useful?

Did you take a good look? :)

https://github.com/matterbridge/Rocket.Chat.Go.SDK/pulls?q=is%3Apr+is%3Aclosed

@42wim
Copy link
Owner

42wim commented Dec 19, 2021

Please keep the schedule on monthly or at max weekly, I don't want to get daily PRs about dependencies that are not critical

@codeclimate
Copy link

codeclimate bot commented Dec 19, 2021

Code Climate has analyzed commit 6f51c48 and detected 0 issues on this pull request.

View more on Code Climate.

@GoliathLabs
Copy link
Contributor Author

GoliathLabs commented Dec 19, 2021
edited
Loading

In the meantime, why are we using the matterbridge forks of e.g. Rocket.Chat.SDK, they are just behind the upstream master and I don't see any commits in there that would make using them useful?

Did you take a good look? :)

https://github.com/matterbridge/Rocket.Chat.Go.SDK/pulls?q=is%3Apr+is%3Aclosed

Sorry, I think I did overlook those. 😅

Please keep the schedule on monthly or at max weekly, I don't want to get daily PRs about dependencies that are not critical

I've updated the interval

@42wim 42wim merged commit e3ee0df into 42wim:master Dec 19, 2021
@42wim
Copy link
Owner

42wim commented Dec 19, 2021

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@GoliathLabs @42wim