-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace dependabot with GitHub Action #356
Conversation
Preview is available here: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One request (❗), and one suggestion (💡).
.github/workflows/update_deps.yml
Outdated
issues: write | ||
steps: | ||
- name: Update dependencies | ||
uses: imjohnbo/issue-bot@v3.3.4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❗ GitHub had a list of things they recommend we do whenever using third party actions:
-
Pin actions to a full length commit SHA
-
Audit the source code of the action
-
Pin actions to a tag only if you trust the creator
Can you do the first two items?
.github/workflows/update_deps.yml
Outdated
Update all project dependencies | ||
``` | ||
yarn upgrade-interactive --latest | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Do you have a checklist of things you do for the upgrade that we could knowledge share here? Also, it might be helpful to include commands for how you look at diffs of dependencies being upgraded, so everyones process converges for how to do this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I've just added one suggestion to pin the GH Action commit sha instead of its tag. GH Security recommends this:
Pin actions to a full length commit SHA
Co-authored-by: Marcelo Salloum dos Santos <marcelo@stellar.org>
Preview is available here: |
…-v2 into il-deps-gh-action
Preview is available here: |
This will replace multiple issues from
dependabot
for a few individual dependencies with a single issue to update all of them (which is our practice).