Skip to content

Standardize Dependabot configs on "Maven weekly, GitHub Actions monthly." #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 21, 2025

Conversation

copybara-service[bot]
Copy link

Standardize Dependabot configs on "Maven weekly, GitHub Actions monthly."

This includes:

  • setting up Dependabot at all for a few projects
  • dropping GitHub Actions from weekly to monthly for the rest

My feeling on the latter is that GitHub Actions upgrades never feel urgent: Even when GitHub stopped supporting old versions of actions/cache, they gave plenty of warning. I'd also note that I don't think we've had trouble much (if ever?) with upgrades to GitHub Actions, so there's even less reason to fear batching of updates than usual. Given that, we might as well try to batch together as many updates as we can so as to marginally reduce toil. (And if an upgrade it ever truly urgent for security reasons, I expect that Dependabot would push us to it promptly, anyway, perhaps even for projects without a Dependabot config at all.)

RELNOTES=n/a

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@copybara-service copybara-service bot force-pushed the test_main_738898770 branch from 29eae3b to ebeb44d Compare March 21, 2025 20:47
…ly."

This includes:
- setting up Dependabot _at all_ for a few projects
- dropping GitHub Actions from weekly to monthly for the rest

My feeling on the latter is that GitHub Actions upgrades never feel urgent: Even when GitHub stopped supporting old versions of `actions/cache`, they gave plenty of warning. I'd also note that I don't think we've had trouble much (if ever?) with upgrades to GitHub Actions, so there's even less reason to fear batching of updates than usual. Given that, we might as well try to batch together as many updates as we can so as to marginally reduce toil. (And if an upgrade it ever truly urgent for security reasons, I expect that Dependabot would push us to it promptly, anyway, perhaps even for projects without a Dependabot config at all.)

RELNOTES=n/a
PiperOrigin-RevId: 739294702
@copybara-service copybara-service bot force-pushed the test_main_738898770 branch from ebeb44d to d99af51 Compare March 21, 2025 21:12
@copybara-service copybara-service bot merged commit d99af51 into main Mar 21, 2025
1 check passed
@copybara-service copybara-service bot deleted the test_main_738898770 branch March 21, 2025 21:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant