Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependabot configuration file #207

Merged
merged 1 commit into from
Sep 17, 2023

Conversation

jrfnl
Copy link
Member

@jrfnl jrfnl commented Sep 12, 2023

Proposed Changes

This automatically enables Dependabot to:

  • Submit pull requests for security updates and version updates for Composer dependencies.
  • Submit pull requests for security updates and version updates for GH Action runner dependencies.

For Composer dependencies, a preference is given to widen the version restrictions instead of updating them to a new minimum. This is a deliberate choice as this package is a library, not an application.

The configuration has been set up to:

  • Run once a week.
  • Submit a maximum of 5 pull requests at a time. If additional pull requests are needed, these will subsequently be submitted the next time Dependabot runs after one or more of the open pull requests have been merged.
  • The commit messages for PRs submitted by Dependabot will be prefixed according the unofficial conventions used in this repo up to now.
  • The PRs will automatically be labelled with an appropriate label as already in use in this repo.

Additionally, for Composer updates, I've applied the following restrictions:

  • Only allow updates for "dev" dependencies, as non-dev dependencies (PHPCS, Composer Installers) will need a code review and likely warrant code changes.
  • Ignore major releases of the PHPUnit Polyfills package (= new PHPUnit major) as those generally require a managed update of the test suite.

Refs:

This automatically enables Dependabot to:
* Submit pull requests for security updates and version updates for Composer dependencies.
* Submit pull requests for security updates and version updates for GH Action runner dependencies.

For Composer dependencies, a preference is given to _widen_ the version restrictions instead of updating them to a new minimum.
This is a deliberate choice as this package is a library, not an application.

The configuration has been set up to:
* Run once a week.
* Submit a maximum of 5 pull requests at a time.
    If additional pull requests are needed, these will subsequently be submitted the next time Dependabot runs after one or more of the open pull requests have been merged.
* The commit messages for PRs submitted by Dependabot will be prefixed according the unofficial conventions used in this repo up to now.
* The PRs will automatically be labelled with an appropriate label as already in use in this repo.

Additionally, for Composer updates, I've applied the following restrictions:
* Only allow updates for "dev" dependencies, as non-dev dependencies (PHPCS, Composer Installers) will need a code review and likely warrant code changes.
* Ignore major releases of the PHPUnit Polyfills package (= new PHPUnit major) as those generally require a managed update of the test suite.

Refs:
* https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
* https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy
@jrfnl jrfnl requested a review from a team September 12, 2023 15:55
@jrfnl jrfnl merged commit a7027aa into main Sep 17, 2023
22 of 97 checks passed
@jrfnl jrfnl deleted the feature/enable-and-configure-dependabot branch September 17, 2023 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants