Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add/Update Dependabot configuration files to/in select GitHub repos used by our team(s) #175

Closed
WadeBarnes opened this issue Mar 21, 2024 · 10 comments
Closed

Add/Update Dependabot configuration files to/in select GitHub repos used by our team(s) #175

WadeBarnes opened this issue Mar 21, 2024 · 10 comments

Comments

@WadeBarnes
Copy link
Member

Add or update Dependabot Configuration files to/in select repositories to better automate updates and dependency management of the associated code.

By default, Dependabot scans repositories containing dependency lock files for updates to address vulnerabilities. This behavior can be extended to include scanning code within a repository for updated versions. We've started using this feature for maintaining the dependencies for GitHub actions across several BCGov, Hyperledger, and Open Wallet Foundation repos, and we'd like to expand that to the rest of the code base(s).

Approach:

  1. Determine which repositories should be considered in scope for this task. Repositories from the bcgov, hyperledger, and openwallet-foundation should be considered. Discuss with the DITP team members and the community members activity working on the code within these various organizations to compile a list of candidate repositories.
  2. Determine the most appropriate Dependabot configuration settings for each repository. Settings are expected to vary from repository to repository based on the associated code base. Discuss with the DITP team and the community members who are actively contributing and maintaining code within the identified repositories to determine the most appropriate settings.
  3. Draft PRs for each selected repository, complete with the Dependabot configuration settings designed for each repository.

Acceptance Criteria:

  1. Acceptance criteria may vary depending on the repository and the community maintaining it. Acceptance will ultimately be decided by maintainer review and approval of the submitted PR. However, in general is expected to be based on a complete, functional, and easily maintainable Dependabot configuration file containing settings appropriately configured for the given repository.
@rajpalc7
Copy link
Contributor

Hi @WadeBarnes , Please let me know if I am missing any other repositories that will require dependabot configuration files than the ones mentioned below:

https://github.com/search?q=topic%3Adts+org%3Abcgov+fork%3Atrue&type=repositories

https://github.com/search?q=topic%3Aaca-py+org%3Ahyperledger+fork%3Atrue&type=repositories

https://github.com/search?q=topic%3Aindy+org%3Aopenwallet-foundation+fork%3Atrue&type=repositories

https://github.com/search?q=topic%3Aaries+org%3Aopenwallet-foundation+fork%3Atrue&type=repositories

@WadeBarnes
Copy link
Member Author

WadeBarnes commented Mar 27, 2024
edited
Loading

Thanks @rajpalc7. The following queries provide a more complete list of the candidate repositories in each of the Organizations:

@WadeBarnes WadeBarnes mentioned this issue Mar 27, 2024
Open
@rajpalc7
Copy link
Contributor

rajpalc7 commented Mar 27, 2024
edited
Loading

Thanks @WadeBarnes I noticed some of the repositories already have dependabot.yml in it. If we are planning to update it, how would you like the new update to look like ?

@WadeBarnes
Copy link
Member Author

Thanks @WadeBarnes I noticed some of the repositories already have dependabot.yml in it. If we are planning to upgrade the, how would you like the new upgrade to look like ?

Add or update Dependabot Configuration files. That's what the ticket asks for.

What, if anything, needs to be added or updated depends on the repository, the code it contains, and how well the exiting configuration manages the code within that repository. So without a specific example, I can't really answer that question.

A general example:

  • Repository contains GitHub Actions and Python code.
  • Existing Dependabot Configuration file only contains configuration to manage dependencies on GitHub Actions.
  • Expected Action: Update the Dependabot Configuration file to also manage the dependencies for the Python code.

@rajpalc7
Copy link
Contributor

rajpalc7 commented Mar 28, 2024
edited
Loading

`BC Gov Repositories:

@rajpalc7
Copy link
Contributor

rajpalc7 commented Apr 2, 2024
edited
Loading

HYPERLEDGER:

OPENWALLET:

@rajpalc7 rajpalc7 mentioned this issue Apr 5, 2024
Merged
@WadeBarnes
Copy link
Member Author

Based on developer feedback we've determined from filtering of the version update recommendations is required to minimize PR "noise". Refer to openwallet-foundation/acapy-vc-authn-oidc#465 for an example.

@WadeBarnes
Copy link
Member Author

Top 5 list of repositories to work on is being maintained here; #174 (comment)

@WadeBarnes
Copy link
Member Author

WadeBarnes commented Apr 16, 2024
edited
Loading

@rajpalc7, please check off the repositories in the lists above as you complete the tasks and the PRs are successfully merged.

@WadeBarnes
Copy link
Member Author

WadeBarnes commented Apr 16, 2024
edited
Loading

@rajpalc7, As we move forward please focus on and complete the work in the BC Gov repositories first. When you complete that check in with @cvarjao and I on how to proceed with the Hyperledger and Open Wallet Foundation repositories.

@esune esune closed this as completed Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@esune @WadeBarnes @rajpalc7