Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt grouping for security updates #3985

Open
grayside opened this issue Apr 3, 2024 · 2 comments
Open

Adopt grouping for security updates #3985

grayside opened this issue Apr 3, 2024 · 2 comments
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. samples Issues that are directly related to samples. triage me I really want to be triaged. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@grayside
Copy link
Contributor

grayside commented Apr 3, 2024

golang-samples seems to use both renovate and dependabot for security updates. Further, while renovate groups security updates, dependabot sends one PR per sample.

This combination creates a lot of noise and a lot of work that would benefit from deduplication and batching.

Proposed Options

  1. Turn off dependabot and rely on Renovate for security updates
  2. Turn off security updates in Renovate and rely on Dependabot. And adopt the new dependabot grouping option
@grayside grayside added priority: p3 Desirable enhancement or fix. May not be included in next release. triage me I really want to be triaged. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. labels Apr 3, 2024
@product-auto-label product-auto-label bot added the samples Issues that are directly related to samples. label Apr 3, 2024
@grayside
Copy link
Contributor Author

I've looked some more into Renovate's support for Vulnerability fixes.

https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts is a configuration block that allows us to do things like have a custom schedule for frequency on checking for updates. Currently this is default for the repository, which in theory means that Renovate is running something like "continuously". We could give it an explicit schedule.

Here's an example of a Renovate PR: #4106
I especially like the details inlined to the PR.

We can also use turn off vulnerability alerts, and leave this to dependabot. I find dependabot PRs to be less informative, but that would have the benefit of being able to have extra clarity on which types of updates each tool performs.

@subfuzion
Copy link
Contributor

@grayside Agree that the details in the Renovate PR look good. OTOH, good to know that Dependabot now offers a grouping option. I thought I heard a mention yesterday about an issue or concern with Renovate, but can't recall now; is Dependabot preferred at the moment? Are you steering toward something common for all repos? cc/@muncus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. samples Issues that are directly related to samples. triage me I really want to be triaged. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@subfuzion @grayside