Create dependabot.yml #1388
Create dependabot.yml #1388
Conversation
Create automerge-dependabot-prs.yml
Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 3 to 4. - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](actions/setup-dotnet@v3...v4) --- updated-dependencies: - dependency-name: actions/setup-dotnet dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v3...v4) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
This reverts commit 7d22465.
This reverts commit 860cdf4.
This reverts commit bd383e8.
This reverts commit fbe08fc.
|
As mentioned in #1387, in order to setup an action to Automatically merge the Dependabot pull requests, you can follow this guide: https://jhale.dev/posts/auto-merging-prs |
|
Also sorry for the garbage in the commits history, I was messing with the actions and I didn't want those changes to be applied to the project. |
|
No worries and sorry for late reply. How can we configure updates so that:
|
|
You can take a look at the official GitHub documentation for the dependabot.yml file to see all the options available. It is highly customizable. For ignoring updates for dependencies you can check the ignore section with all the recommendations and examples. My advise is allowing the bot to suggest updates for all the libraries and ignoring the individual pull request for the specific library you don't want to update. In case you want to allow automatic merging of bot pull requests, then you should configure the bot to ignore the library. For the beta versions of the cswin32 package you can check the allow section and configure the bot with the library versions admitted. This is a possible example of the final dependabot.yml with that configuration version: 2
updates:
# Enable version updates for nuget
- package-ecosystem: nuget
directory: "/"
schedule:
interval: daily
# Configure the update settings
ignore:
# Exclude WPFUI from updates
- dependency-name: WPFUI
versioning-strategy: increase
# Configure the update for cswin32 to allow beta versions
- package-ecosystem: nuget
directory: "/"
schedule:
interval: daily
allow:
# Allow updates to beta versions for cswin32
- dependency-name: cswin32
version-requirement: "*-beta"
# Enable version updates for GitHub Actions
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: dailyHowever I have never developed any project in C#, thus I haven't tried the example provided, take it more like a proof of concept, but you can end with something very similar. |
|
I will close this PR. I appreciate the input and in general agree with the concept. However, now that there aren't so many updates for LLT happening this isn't a big deal. |
Closes #1387.
This will automatically open pull requests with dependencies updated detected on:
Just tested in my forked repository and I got pull requests like these ones:
Recommended steps
Under /settings/actions navigate to the section Workflow permissions and enable the option Allow GitHub Actions to create and approve pull requests: