Consider setting up dependabot to update submodule dependencies (IEC-2) #29
Comments
|
Done. I don't have any experience with dependabot, so I'll keep this issue open for future evaluation/discussion |
|
Thanks @tore-espressif! The PRs opened by dependabot have two problems now:
Still even in this form they are useful as a hint/reminder to us that some dependency might be outdated. Edit: plus we need to remember to bump the version in idf_component.yml when the dependency is upgraded. So looks like we'll be taking over dependabot PRs anyway. |
|
Given the above limitations, I'm thinking of adding a custom CI workflow instead of dependabot... This workflow could also update our idf_component.yml files and make the PRs mergeable. |
|
This might be worth revisiting, especially since #146 adds two libraries which are known to sometimes have CVEs reported for them. It would be good to be able to get the new releases of these libraries published quickly. |
tom-borcin
changed the title
github-actions
bot
changed the title
Dependabot has basic support for tracking and upgrading dependencies expressed using git submodules (https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem). Consider setting it up for this repository to get notified whenever a dependency can be upgraded.
Note that we might need to wait for or contribute to dependabot/dependabot-core#1639 first, as currently dependabot will try to upgrade to the latest commit, not to the latest tag.
The text was updated successfully, but these errors were encountered: