Skip to content

Upgrade to GitHub-native Dependabot #661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 6, 2021
Merged

Upgrade to GitHub-native Dependabot #661

merged 4 commits into from
May 6, 2021

Conversation

dependabot-preview[bot]
Copy link
Contributor

Dependabot Preview will be shut down on August 3rd, 2021. In order to keep getting Dependabot updates, please merge this PR and migrate to GitHub-native Dependabot before then.

Dependabot has been fully integrated into GitHub, so you no longer have to install and manage a separate app. This pull request updates your config file to the new syntax. When merged, we'll swap out dependabot-preview (me) for a new dependabot app, and you'll be all set!

With this change, you'll now use the Dependabot page in GitHub, rather than the Dependabot dashboard, to monitor your version updates, and you'll configure Dependabot through the new config file rather than a UI.

Your previous schedule was set to live. This option is no longer supported in the new config file so it has been changed to daily.

You have configured automerging on this repository. There is no automerging support in GitHub-native Dependabot, so these settings will not be added to the new config file. Several 3rd-party GitHub Actions and bots can replicate the automerge feature.

If you've got any questions or feedback for us, please let us know by creating an issue in the dependabot/dependabot-core repository.

Learn more about migrating to GitHub-native Dependabot

Please note that regular @dependabot commands do not work on this pull request.

@dependabot-preview dependabot-preview bot added the dependencies Pull requests that update a dependency file label Apr 28, 2021
@deivid-rodriguez deivid-rodriguez force-pushed the dependabot/add-v2-config-file branch from d8280e2 to a49ab4e Compare May 6, 2021 20:23
@deivid-rodriguez deivid-rodriguez force-pushed the dependabot/add-v2-config-file branch from a49ab4e to d7da553 Compare May 6, 2021 20:30
@deivid-rodriguez
Copy link
Member

Alright, so this is what I came up with:

  • Let dependabot manage only our development dependencies.
  • Configure mergify on top of dependabot to merge all dependabot pull requests (they should be development dependencies only).
  • To fix the issue of dependabot unintentionally bumping the rails version of each Gemfile, configure it to only include lockfile updates, and let rails be the only dependency with a specific requirement on each Gemfile.

@deivid-rodriguez
Copy link
Member

I'm unsure how to test this, so I guess we can go ahead and merge it and see how it goes.

@javierjulio
Copy link
Member

Ok that sounds great to me! No problem, I think its best to just go with this since we have to do it anyway. We'll be able to test/confirm as new dependency updates come in. Thank you! ❤️

javierjulio
javierjulio approved these changes May 6, 2021
View reviewed changes
Copy link
Member

@javierjulio javierjulio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😎

@javierjulio javierjulio merged commit b637843 into master May 6, 2021
@javierjulio javierjulio deleted the dependabot/add-v2-config-file branch May 6, 2021 22:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javierjulio javierjulio javierjulio approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@deivid-rodriguez @javierjulio