Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Dependabot for Go module & GitHub Action dependencies #2179

Merged
merged 1 commit into from
Oct 16, 2024
Merged

Add Dependabot for Go module & GitHub Action dependencies #2179

merged 1 commit into from
Oct 16, 2024

Conversation

AndrewSirenko
Copy link
Contributor

Is this a bug fix or adding new feature?
N/A

What is this PR about? / Why do we need it?

Performing all dependency upgrades during the release process leads to delays when a certain upgrade contains breaking changes. Let's decrease the chance of release delays by spreading most of these updates out before we start a release, and automate that work with GitHub's Dependabot. Even better, dependabot cleanly shows release notes, changelogs, and even commits for each dependency it is upgrading in its PR.

See the new docs/updating-dependencies.md for an introduction to Dependabot and our project dependencies.

Let's start with a weekly cadence. If we find that too many dependencies occur in same PR such that troubleshooting breaking changes becomes challenging, we can switch to daily cadence (Dependabot will ensure only 1 PR per group is up at a time). I chose Wednesday mornings because it is after Windows patch Tuesdays.

I chose Dependabot over some other tool like Renovate because most other K8s projects use Dependabot, it requires no self-hosting because it is built-in to GH, and we don't need Renovate's custom configuration options today.

I will update our internal runbook after this merges.

What testing is done?

See the 3 PRs on my fork that dependabot rose:

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 10, 2024
@github-actions GitHub Actions
Copy link

Code Coverage Diff

This PR does not change the code coverage

@ElijahQuinones
Copy link
Member

/retest

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 10, 2024
ElijahQuinones
ElijahQuinones approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@ElijahQuinones ElijahQuinones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you /lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 10, 2024
ConnorJC3
ConnorJC3 reviewed Oct 11, 2024
View reviewed changes
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 15, 2024
@AndrewSirenko AndrewSirenko force-pushed the add--dependabot branch 2 times, most recently from 3c3400d to 1c69de9 Compare October 15, 2024 19:47
ElijahQuinones
ElijahQuinones approved these changes Oct 15, 2024
View reviewed changes
Copy link
Member

@ElijahQuinones ElijahQuinones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 15, 2024
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 16, 2024
@torredil
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 16, 2024
@ConnorJC3
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ConnorJC3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 16, 2024
@k8s-ci-robot k8s-ci-robot merged commit 486fbd0 into kubernetes-sigs:master Oct 16, 2024
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ConnorJC3 ConnorJC3 ConnorJC3 left review comments

@torredil torredil torredil left review comments

@ElijahQuinones ElijahQuinones ElijahQuinones approved these changes

Assignees

@torredil torredil

@ElijahQuinones ElijahQuinones

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@AndrewSirenko @ElijahQuinones @torredil @ConnorJC3 @k8s-ci-robot