Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rfc] switch from dependabot to renovate? #4341

Open
cyphar opened this issue Jul 9, 2024 · 3 comments
Open

[rfc] switch from dependabot to renovate? #4341

cyphar opened this issue Jul 9, 2024 · 3 comments

Comments

@cyphar
Copy link
Member

cyphar commented Jul 9, 2024

On the private repo, dependapot produces a lot of spam (so much so that there are stores in dependabot/dependabot-core#2804 of it exhausting the billing cap of an organisation). They have added a mitigation for forks, but for a private copy that won't help us.

Some folks mentioned that renovate doesn't have this issue. Maybe we should look into whether switching is worth it or not?

For the meantime, I have the following saved reply which I've used for all of the spam PRs, which hopefully will reduce the spam:

@dependabot ignore this dependency

Closing because this is a fork and we do not want dependency update spam here.

###### This a dependabot issue: `https://github.com/dependabot/dependabot-core/issues/2804`
@rata
Copy link
Member

rata commented Jul 10, 2024

The runc-private seems to be a copy of the repo, so not a fork nor anything. Can't we just disable dependabot there? I can't see why we can't have a different configuration on a completely different repo.

It seems to be disabled now, btw. Maybe you did that?

@cyphar
Copy link
Member Author

cyphar commented Jul 11, 2024

You can't make private forks, so we had to make a copy.

AFAICS you can't disable dependabot if there is a config file in the repo. At the bottom of dependabot/dependabot-core#2804 they mention that they are considering expanding the ability to disable dependabot for non-forks, but at the moment you can't disable it AFAICS (there's no disable button in the settings panel for dependabot/security scanners).

I use a saved reply to mass-disable dependabot notifications for individual dependencies (for all of the PRs it had opened), but that doesn't mean it won't ping for a different dependency in the future.

@rata
Copy link
Member

rata commented Jul 11, 2024

Oh, thanks. It seems if we let it rot for 90 days, it should auto-stop: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-automatic-deactivation-of-dependabot-updates

And it is the same for version updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates#about-automatic-deactivation-of-dependabot-updates

I wonder if that would do the trick for us?

I'm not against switching to renovate, but I haven't done any due diligence to know we can trust them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rata @cyphar