Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Dependabot for non pinned dependencies #669

Merged
merged 1 commit into from Dec 26, 2023
Merged

Add Dependabot for non pinned dependencies #669

merged 1 commit into from Dec 26, 2023

Conversation

abelsromero
Copy link
Member

@abelsromero abelsromero commented Dec 26, 2023
edited

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Documentation
  • Refactor
  • Build improvement
  • Other (please describe)

What is the goal of this pull request?

Automate maintenance of dependencies.
Dependabot is not perfect, but having used it for some time I find it helps. Even if the bump breaks something, at least we get a notification and we see that in CI and can decide what to do. The alternative is depending on time or strength to go through bumps and hope for the best.

Are there any alternative ways to implement this?
There are others. I only have first-hand knowledge Renovate, which I don't like for some companiy and data collection policies. In general, alternatives depend on extra configurations and authorizations, Dependabot being integrated in GitHub makes things easier.
Note: dependabot does text parsing, it does not really run a dependency analysis, which causes some errors, but it helps most of the times.

Pros compensate cons, but there are some:

  • Changelog is not updated, we'd need to document the AsciidoctorJ & JRuby versions on the release notes.
  • Maven and Java versions in CI are not covered.

Are there any implications of this pull request? Anything a user must know?

Not for users.

Is it related to an existing issue?

  • Yes
  • No

Finally, please add a corresponding entry to CHANGELOG.adoc

@abelsromero
Copy link
Member Author

I ran a test on a forked repo and immediately got image.

It does not cover all dependencies (missing some plugins), but shows that plugins and dependencies are handled. I expect the others to get PRs eventually in my experience.

@abelsromero abelsromero added the dependencies Pull requests that update a dependency file label Dec 26, 2023
@abelsromero abelsromero changed the title Add dependabot for non pinned dependencies Add Dependabot for non pinned dependencies Dec 26, 2023
@abelsromero abelsromero force-pushed the add-dependabot-for-non-pinned-dependencies branch 2 times, most recently from 2ad7928 to 6b05ae4 Compare December 26, 2023 16:30
@abelsromero abelsromero merged commit f45be4d into asciidoctor:main Dec 26, 2023
18 checks passed
@abelsromero
Add Dependabot
6b05ae4 
These are excluded:
* org.jruby:jruby, depends on AsciidoctorJ
* org.apache.maven:*, pinned Maven version
* org.apache.maven.plugin-tools:*, pinned Maven version
* org.apache.maven.doxia:*, pinned Maven Doxia version
* org.codehaus.plexus:*, pinned Maven version
* commons-io:commons-io, depends on Maven runtime
@abelsromero abelsromero deleted the add-dependabot-for-non-pinned-dependencies branch December 28, 2023 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@abelsromero