From cadb67160a5b246be658dccfc16f503e48609c04 Mon Sep 17 00:00:00 2001 From: per1234 Date: Thu, 13 Jun 2024 11:18:51 -0700 Subject: [PATCH 1/2] Automatically assign per1234 to Dependabot PRs As the primary maintainer of the project infrastructure, it is the responsibility of GitHub user per1234 to review and merge the pull requests automatically submitted by Dependabot for bumps of outdated project dependencies. Configuring Dependabot to automatically set the pull request assignment will slightly streamline that process. --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d81237c3..ed0b055b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,12 +6,16 @@ updates: # See: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-actions-up-to-date-with-dependabot - package-ecosystem: github-actions directory: / # Check the repository's workflows under /.github/workflows/ + assignees: + - per1234 schedule: interval: daily labels: - "topic: infrastructure" - package-ecosystem: npm directory: / + assignees: + - per1234 schedule: interval: daily labels: @@ -24,6 +28,8 @@ updates: - "version-update:semver-major" - package-ecosystem: pip directory: / + assignees: + - per1234 schedule: interval: daily labels: From 7a490d96a96a9e42604dae0d7d476507ff92557c Mon Sep 17 00:00:00 2001 From: per1234 Date: Thu, 13 Jun 2024 11:19:10 -0700 Subject: [PATCH 2/2] Don't limit number of open Dependabot pull requests The Dependabot service is used to keep the project dependencies updated. Thanks to the project's high quality validation infrastructure, the human effort required to complete a trivial version bump is minimal. However, some bumps may introduce breaking changes that would require a significant amount of effort to accommodate, or are blocked by external tasks. In this case, the Dependabot pull request can't be merged, but should be left open to track the need to perform the bump when it is feasible. This means that it should be expected that there will be regularly be a small number of Dependabot pull requests left open in the repository over long periods of time. The automated system is here to assist the human project maintainers, not as a tyrannical overlord, so this is the system working exactly as intended. By default, Dependabot is configured to stop submitting pull requests if it already has five open pull requests. This means that if it happens that the accumulation of intentionally on-hold pull requests reaches that number, the project stops receiving the easily handled trivial update PRs. This is very harmful because it results in the completely unnecessary use of outdated dependencies, and unnecessary challenging large bumps when pull requests start being submitted once more after the backlog is cleared. The harmful default configuration is hereby overridden by configuring the maximum open pull request limit at 100. This value was chosen as an arbitrary large number simply to functionally disable the limiting, rather than from any expectation that the actual number of open PRs can ever reach that count. --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ed0b055b..609bd502 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,6 +8,7 @@ updates: directory: / # Check the repository's workflows under /.github/workflows/ assignees: - per1234 + open-pull-requests-limit: 100 schedule: interval: daily labels: @@ -16,6 +17,7 @@ updates: directory: / assignees: - per1234 + open-pull-requests-limit: 100 schedule: interval: daily labels: @@ -30,6 +32,7 @@ updates: directory: / assignees: - per1234 + open-pull-requests-limit: 100 schedule: interval: daily labels: