chore: allow dependabot to upgrade more dependencies #9619
Conversation
It had been configured to only allow security updates. Now that we've updated all the core dependencies, let it keep things up to date. Only have it run once a week since there will be many more updates now.
![code-review-assist[bot]](https://avatars.githubusercontent.com/in/1008254?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hi team,
I'm currently reviewing this pull request and will have a full review up in a few minutes. In the meantime, here's a quick summary for you and other reviewers to get up to speed:
This PR, by plumpy, modifies the .github/dependabot.yml file to allow Dependabot to upgrade more dependencies than just security updates. Previously, the open-pull-requests-limit was set to 0, effectively only allowing security updates. This PR removes that limit and changes the update schedule from daily to weekly. The intent is to keep dependencies up-to-date more frequently, now that the core dependencies have been updated. The change involves updating the interval parameter in all the schedule blocks within the .github/dependabot.yml file from "daily" to "weekly", and removing the open-pull-requests-limit parameter.
The changes are limited to the .github/dependabot.yml file, specifically lines 10, 19, 24, 28, 32, 36, 40, 45, 50, 54, 58, 62, 66, 70, 74, and 77. All instances of "daily" have been replaced with "weekly" in the interval field of the schedule blocks. The lines 11-13 have been removed, which contained the open-pull-requests-limit parameter.
Here's a little haiku to lighten the mood:
Dependabot's hum,
Weekly updates, fresh and clean,
Codebase thrives now.
Thanks!
Gemini
There was a problem hiding this comment.
This change looks good and will allow dependabot to manage more dependencies. Switching to weekly updates is a sensible choice given the expected increase in updates.
One potential improvement would be to consider grouping related package ecosystems together within each directory. This can improve readability and make it easier to manage the configuration in the future. For example, all the /integration/examples updates could be grouped together, and within that group, further organized by package ecosystem.
| # Security updates have their own PR limit, so setting this to 0 will only | ||
| # allow security updates through. | ||
| open-pull-requests-limit: 0 | ||
| interval: "weekly" |
There was a problem hiding this comment.
Since the open-pull-requests-limit is being removed to allow all updates, consider adding a comment explaining this decision. This will help future maintainers understand the configuration.
| interval: "weekly" | |
| interval: "weekly" | |
| # Removing open-pull-requests-limit to allow all updates |
It had been configured to only allow security updates. Now that we've updated all the core dependencies, let it keep things up to date.
Only have it run once a week since there will be many more updates now.