Skip to content

Commit

Permalink
ci: make dependabot updates monthly and bump PR limit
Browse files Browse the repository at this point in the history 
It is currently only used for GitHub Actions.  The ones used in this
project rarely ever contain notable changes in their changelogs (in a
way that would cause a noticeable difference in our CI).

Also, there are weeks when most/all of the PR/commit activity is from
dependabot PRs being opened/merged.  For example, see the output of the
following command:

    git log --no-decorate --oneline 9a0db13..bef0850

So change the checks from weekly to monthly to reduce the noise.

Additionally, bump `open-pull-requests-limit` to 4, as it seems that we
only have 4 dependencies:

    $ git grep 'uses:' -- .github/ | sed -E 's/.*(uses: .*)@.*/\1/' |
      LC_ALL=C sort -u
    uses: actions/checkout
    uses: github/codeql-action/analyze
    uses: github/codeql-action/init
    uses: step-security/harden-runner

This should ensure that PRs can be opened against all of them when the
dependabot check is run.
  • Loading branch information
@kmk3
kmk3 committed May 13, 2024
1 parent bef0850 commit 8c671c2
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 2
interval: "monthly"
open-pull-requests-limit: 4

0 comments on commit 8c671c2

Please sign in to comment.