Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: disable dependabot non-security updates (#537)
- similar to Workflows, most of the automated updates from dependabot here cause problems, a lot of noise, and use up CI time, all without much benefit
- most often are small patch updates of devDeps that don't affect our usage of them
- and then subsequent PRs for each individual patch bump etc
- the vast majority of PRs in this repo are these updates -- noise would be an understatement
- some also cause a lot of breakage when they pass CI but break something in a way that doesn't have an automated test
- given that this repo is not maintained much, no one is there to detect that or to ensure deps were properly updated
- so instead this causes breakage that goes unnoticed or unmentioned for _months_
- less frequent, manual updates are much, much safer than this as such
- and since it isn't really maintained, leaving it in a consistent, working state is also much better than an unknown, potentially broken state
- any dep updates should be _intentional_
- Note that this intentionally _does not_ impact security updates. Security updates will still happen automatically
- per the [linked docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit):
> This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.
- that is why I specifically used this configuration
- also re-order the package ecosystems and add some comments [equivalent to Workflows](https://github.com/argoproj/argo-workflows/blob/66680f1c9bca8b47c40ce918b5d16714058647cb/.github/dependabot.yml#L3)
- could potentially split NPM prod and devDeps in these two as well, but I think this is fine for now
Signed-off-by: Anton Gilgur <[email protected]>- Loading branch information