Add .github/dependabot.yml #15
Conversation
|
Yeah, I'm tempted to say limiting it to updating github actions could make sense; it's good to keep the actions up-to-date, but for For Go versions, we could use the cgroups/.github/workflows/test.yml Line 20 in 9657f5a I guess ideally we'd have CodeQL check for vulnerabilities in the modules we use, and it could update those dependencies, but it's likely to have false-positives (so setting up a |
To that end, you might enjoy opencontainers/image-spec@00584ff 👀 |
Thanks! The |
|
I've updated the PR to exclude go.mod updates, and added a govulncheck run |
|
govulncheck-action is a tad rusty; filed golang/go#73616 and opened a CL to fix: https://go-review.googlesource.com/c/govulncheck-action/+/670318 |
|
@thaJeztah PTAL |
| # Runs at 00:00 UTC every Monday | ||
| - cron: '0 0 * * 1' |
There was a problem hiding this comment.
These always drive me nuts; I once wrote a nice comment to document the fields (as it's very easy to get them wrong);
https://github.com/docker/cli/blob/8b8f558b8350d80530d39cae51d4d425d381a1ef/.github/workflows/codeql.yml#L23-L33
schedule:
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12)
# │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
# * * * * *
- cron: '0 9 * * 4'There was a problem hiding this comment.
This used to be in crontab(5) man page, but cron is now gone from the distros in favor of systemd.timer so there's no documentation anymore).
There was a problem hiding this comment.
Yeah, I'm pretty sure I originally copied it from somewhere; could've been from the man-page for sure!
Make sure our github actions stay up to date. Since this is a package (set of packages), we do not to bump dependencies to the latest versions automatically, but only when it is really required, thus sticking to Go's minimum version selection rules (essentially so that users of these packages are not required to unnecessarily update their dependencies). Signed-off-by: Kir Kolyshkin <[email protected]>
This is to ensure our minimal dependencies do not have known vulnerabilities. NOTE we do not specify Go version to be used here to avoid reporting vulnerabilities in stdlib which we're not interested in here. Signed-off-by: Kir Kolyshkin <[email protected]>
This is to ensure our CI is not rotting away when there are no new PRs or merges. Signed-off-by: Kir Kolyshkin <[email protected]>
|
Hmm, I dunno what to do about the new govulncheck warning, as the vulnerability is Windows-specific and this package is Linux-specific, so we're definitely not vulnerable. The only way I see is to use latest go version so that standard library vulnerabilities will be excluded. |
Hmm, this is actually the default way of using govulncheck-action. Let's just use it, as we're only interested in vulnerabilities in dependencies. |
|
@AkihiroSuda ptal |
4 participants
Make sure our dependencies and actions stay up to date.
PS I am not entirely sure that keeping all our go.mod dependencies
at their latest released versions is quite the right approach. Maybe
@thaJeztah have something to say about it.