Add dependabot config file #7431
Conversation
|
CC @oliverchang |
|
@jonathanmetzman due to a GitHub bug every fork receives PRs from Dependabot like https://github.com/evverx/oss-fuzz/pulls. It would be great if it was possible to switch from daily updates to weekly (or even monthly) updates to reduce the noise. It's also possible to limit the number of PRs Dependabot can create with |
|
In the meantime I unsubscribed from the notifications there and turned off GHActions so as not to clog up my GHActions pool. It seems to be the only way to deal with those PRs unfortunately. |
Oy, really silly of dependabot to do this. |
|
It was reported back in 2019 in dependabot/dependabot-core#2198 and I'm not sure why it hasn't been fixed. Renovatebot is better in this regard in the sense that it has to be enabled explicitly but it has its own issues. |
|
What are the issues Renovatebot has? Maybe well use it instead. |
|
I got rid of dependabot btw: #7453 |
|
Last time I checked it wasn't human-friendly. For example it just showed commit hashes instead of versions when dependencies were pinned to shas: evverx/systemd#30 |
|
:-\ Luckily it looks you might have been the only user hit by this https://github.com/search?q=dependabot+fork%3Aonly+%22bump+google-api-python-client+from+1.9.3+to+2.42.0+in+%2Finfra%2Fbuild%2Ffunctions%22&type=issues I guess to get the issue you need to:
|
I don't think I have ever enabled Dependabot there. I tried to investigate that in systemd/systemd#21343 but the scenario described there doesn't seem to be the only way to trigger it.
Yes it pops up once forks are updated. It can take some time but eventually every fork created before Dependabot is introduced seems to be hit by it. The latest example would be ssahani/systemd#9 (comment) where I was asked what was that. |
Related: #7425