feat!: Upgrade Node.js dependencies (Actions and Supported versions)#3498
Conversation
|
|
TODO: Once approved, in order to merge, update repository settings to
|
|
@jsclarridge can I tag you in for review on this one? |
As an incremental update to address the GitHub Actions versions that will be EOL by September, this looks good, although I think the use of |
On this repo we've not historically pinned by sha, but I'm thinking that we probably should, so I can make that change while addressing this comment too |
| # Keep the GitHub Actions up to date | ||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| pull-request-branch-name: | ||
| separator: '-' | ||
| schedule: | ||
| interval: "weekly" | ||
| labels: | ||
| - 'type: dependencies' | ||
| - 'type: automerge' | ||
| groups: | ||
| github-actions: | ||
| patterns: | ||
| - '*' |
There was a problem hiding this comment.
I actually didn't know Dependabot handled sha-style actions dependency management, but it does: https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories#github-actions
Dependabot updates the version documentation of GitHub Actions when the comment is on the same line, such as
actions/checkout@<commit> #<tag or link>oractions/checkout@<tag> #<tag or link>.
There was a problem hiding this comment.
I suggest leaving the Dependabot config as-is for now and create a separate follow-up issue to possibly make this change later. If we want Dependabot to manage the GitHub Actions updates, I'm not sure if we want them to be automerged. And we should probably add a cooldown period so that Dependabot would wait a certain amount of time before opening a PR to update the actions.
There was a problem hiding this comment.
Fair enough, I'll make the change!
For the cooldown, I opted for a weekly cadence with schedule.interval: weekly.
Or am I misunderstanding what you mean?
There was a problem hiding this comment.
I was referring to the cooldown option, which can be used in addition to schedule.interval. According to the documentation, there's a default cooldown of 3 days even if cooldown isn't set, but it may still be a good idea to set it to explicitly, and we may want a slightly longer cooldown, e.g., 7 days.
The version pin changes look good to me, but I left a comment/suggestion about the Dependabot config update. |
|
Oh fun, the npm endpoint that Yarn 3 relies on is being retired. It now returns a 410 instead of the json that Dangerfile.ts expects to parse: I'm going to bandaid it here with some comments pointing to the npm migration PR which will take care of it for good. |
Summary
TODO: Once approved, in order to merge, update repository settings to
See also: https://nodejs.org/en/about/previous-releases
Related Issues or PRs
closes: #3458
How To Test
Screenshots (optional)
Author & Maintainer checklist