docs: publish Dependabot TRG

[tomaszbarwicki]

PR to publish Dependabot Tractus-X Release Guideline (TRG-2.06):

[RoKrish14]

There is an open PR #60 related to dependabot.yml. The PR also addresses necessary description in the security_tooling.md file.
@tomaszbarwicki Please feel free to drop a review.

[FaGru3n]

Hi @tomaszbarwicki a bit unsure will this also create the new one into our default docs/release directory currently GitHub shows me only the deletion of the file and not the move into different directory.

[tomaszbarwicki]

Hi @tomaszbarwicki a bit unsure will this also create the new one into our default docs/release directory currently GitHub shows me only the deletion of the file and not the move into different directory.

@FaGru3n well spotted! fixed, thanks :)

[RoKrish14]

The entry of dependabot.yml to trg-2-6 is not relevant. The updates related to dependabot are maintained under sig-security. Check 60.

[FaGru3n]

The entry of dependabot.yml to trg-2-6 is not relevant. The updates related to deendabot are maintained under sig-security. Check 60.

Hi @RoKrish14 guess then we will need a separate TRG for Dependabot (how use it / and have it present for the release) here on our webpage that could link to your files within sig-security, but we have to make it clear that security is part of our TRG´s, but the hard requirements depend on your work.

So guess @tomaszbarwicki wants to create this TRG and if you also want to spread the word for security tools maybe we can discuss the place like moving dependapot to the Security related TRG´s under the umcomming point 8.

What do you think about that @tomaszbarwicki @RoKrish14 ?

[RoKrish14]

I agree to the need of "moving dependapot to the Security related TRG´s under the upcomming point 8" and @klaudiaZF is in the process of creating the TRG 8.

[tomaszbarwicki]

Hi @RoKrish14, I'm open to move it to security section when it gets created. Shall we pause the PR or park it temporarily in the GIT section?

[RoKrish14]

@tomaszbarwicki : @klaudiaZF told me that your PR will go through with necessary changes. Once approved, it could be moved to TRG 8.0.
So, I would say, lets do that, lets focus on this PR about dependabot (Y). Later we can move it to TRG 8

[FaGru3n]

LGTM

[klaudiaZF]

Can you add npm and Gradle to yaml file and add information that open pull requests limits and interval can be set up based on team needs?

[RoKrish14]

Can you add npm and Gradle to yaml file and add information that open pull requests limits and interval can be set up based on team needs?

This wont be necessary.
There are other options too that can be enabled based on use case.

[RoKrish14]

Can you add npm and Gradle to yaml file and add information that open pull requests limits and interval can be set up based on team needs?

This wont be necessary. There are other options too that can be enabled based on use case.

@tomaszbarwicki and @FaGru3n :
I would suggest we could rephrase (as present in security_tooling.md) to inlude the other options.

"A basic example of a dependabot.yml file, demonstrating configurations for Docker and npm dependencies (all options), is shown below: "

[tomaszbarwicki]

@klaudiaZF , @RoKrish14 incorporated your suggestions to add more dependabot config sample description informing about ability to customize certain parameters, included as well the link pointing to available ecosystem packages. Does that address your view? -> 666c60c

[RoKrish14]

@klaudiaZF , @RoKrish14 incorporated your suggestions to add more dependabot config sample description informing about ability to customize certain parameters, included as well the link pointing to available ecosystem packages. Does that address your view? -> 666c60c

Yes, thanks a lot.

[RoKrish14]

Looks complete to me 👍

[FaGru3n]

LGTM