Systematic re-configuration of dependabot to update github actions monthly

[consideRatio]

In the January team meeting we decided to transition from daily/weekly updates to monthly updates of github actions.

I'll open PRs to reconfigure dependabot in all our repositories and reference this issue to centralize any discussion.

Planned dependabot entry

  # Maintain dependencies in our GitHub Workflows
  - package-ecosystem: github-actions
    directory: /
    labels: [ci]
    schedule:
      interval: monthly
      time: "05:00"
      timezone: Etc/UTC

Related - a decision about labels?

There are some github repositories that configure dependabot to set labels on these updates, but we are not consistent about that. Since making all these PRs is a bit of a chore, I'd like to ask if we should while doing it standardize the labels we set on the PRs when bumping the github actions specifically.

If we set a label at all, it could for example be "maintenance", "dependencies", or "ci". I'm not strongly opinionated now that we reduce the frequency to monthly, but I'm leaning towards thinking the ci label is good for this to avoid cluttering the "maintenance" part of the github-activity generated changelog. I've used the "ci" label to label changes to github workflows etc that doesn't change the repositorys main code (helm chart templates, python code, etc.), and "maintenance" for anything that does.

Question: it okay that I also configre "ci" as a label systematically like below?

  # Maintain dependencies in our GitHub Workflows
  - package-ecosystem: github-actions
    directory: /
    labels: [ci]
    schedule:
      interval: monthly
      time: "05:00"
      timezone: Etc/UTC

Related - consistently name the file dependabot.yaml (instead of .yml)?

I wen't for it and updated the PRs not merged and added 3 PRs to update already merged PRs with this rename from .yml to .yaml. I think about half of the repos were using .yml and .yaml respectively.

There is no real benefit to having either .yaml or .yml, both works - I have a preference of sticking to one option, and preferably also with .yaml because thats what almost all other YAML files are in helm charts etc.

Repositories with dependabot bumping github actions

• dependabot: monthly updates of github actions jupyterhub#4403
• dependabot: monthly updates of github actions binderhub#1651
• dependabot: monthly updates of github actions nativeauthenticator#233
• dependabot: monthly updates of github actions zero-to-jupyterhub-k8s#3085
• dependabot: monthly updates of github actions traefik-proxy#201
• dependabot: monthly updates of github actions oauthenticator#588
• dependabot: monthly updates of github actions configurable-http-proxy#474
• dependabot: monthly updates of github actions pebble-helm-chart#25
• dependabot: monthly updates of github actions action-k8s-await-workloads#61
• dependabot: monthly updates of github actions gh-scoped-creds#46
• dependabot: monthly updates of github actions kubespawner#713
• dependabot: monthly updates of github actions nbgitpuller#299
• dependabot: monthly updates of github actions docker-image-cleaner#115
• dependabot: monthly updates of github actions repo2docker#1262
• dependabot: monthly updates of github actions simpervisor#28
• dependabot: monthly updates of github actions the-littlest-jupyterhub#871
• dependabot: monthly updates of github actions action-k3s-helm#92
• dependabot: monthly updates of github actions and npm deps action-major-minor-tag-calculator#294
• dependabot: monthly updates of github actions ltiauthenticator#148
• dependabot: monthly updates of github actions outreachy#193
• dependabot: monthly updates of github actions, and docs requirements mybinder.org-deploy#2546
• dependabot: monthly updates of github actions autodoc-traits#43
• dependabot: monthly updates of github actions chartpress#213
• dependabot: monthly updates of github actions action-k8s-namespace-report#21
• dependabot: monthly updates of github actions jupyterhub-deploy-docker#123
• dependabot: monthly updates of github actions jupyter-remote-desktop-proxy#30
• dependabot: monthly updates of github actions pytest-jupyterhub#50
• dependabot: monthly updates of github actions jupyter-server-proxy#385

[minrk]

it okay that I also configure "ci" as a label systematically like below?

I definitely agree that they should not get the maintenance label (at least not by default). I've no objection to the "ci" label (assuming this is only applying to github actions dependabot and not npm or pip), but don't personally have a preference for it over no label. If you have a preference and are doing the work, go for it!

[consideRatio]

@minrk I opened a bunch of PRs for all the repos, ci label applied, they are all linked from the issue's top comment.

[consideRatio]

I'd like to get these systematically reviewed/merged and ensure all PRs get merged at a similar time. Is it okay if I self-merge before the weekend?

[consideRatio]

Self merged these after checking for mistakes on each separate PR!