mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-01-18 02:39:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
3,744 Commits 29 Branches 40 Tags 168 MiB
88078ee510
Commit Graph

15 Commits

Author SHA1 Message Date
Niels de Vos
b7955ec0ee ci: disable dependabot PR creation for /api dependencies 
Dependabot does not need to report available updates for vendored
dependencies in the downstream repository. Updates to dependencies are
synced from the upstream repository when needed. There is also the
"Upstream First" requirement, which we follow closely.

See-also: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#open-pull-requests-limit
Signed-off-by: Niels de Vos <ndevos@ibm.com>
 2023-02-28 09:55:01 +01:00
OpenShift Merge Robot
ce40a55de7
Merge pull request #158 from ceph/devel 
sync downstream devel with upstream devel
 2023-02-22 07:10:49 +01:00
Niels de Vos
773d2df564 ci: no need to run multi-arch-build for /actions/retest 
Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2023-02-20 14:18:15 +00:00
Niels de Vos
3a28b0f370 ci: add /api to dependabot configuration 
Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2023-02-20 14:18:15 +00:00
OpenShift Merge Robot
cddb85a3f9
Merge pull request #150 from ceph/devel 
sync downstream devel with upstream devel
 2022-11-15 09:15:52 +00:00
Humble Chirammal
95dac056f2 ci: fix formatting for the interval in dependabot configuration 
as per the documentation `""` has to be mentioned for the schedule
interval value field. This commit ensures it and make it consistent.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
 2022-11-15 03:34:37 +00:00
Niels de Vos
7aba15aa13 ci: disable dependabot PR creation for Actions 
Dependabot does not need to report available updates for vendored
dependencies in the downstream repository. Updates to dependencies are
synced from the upstream repository when needed. There is also the
"Upstream First" requirement, which we follow closely.

See-also: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#open-pull-requests-limit
Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2022-06-21 08:40:03 +02:00
OpenShift Merge Robot
2858b11f92
Merge pull request #96 from ceph/devel 
Sync upstream devel to downstream devel
 2022-05-26 03:59:13 -04:00
Naveen
09f8ee0f3f ci: Included githubactions in the dependabot config 
This should help with keeping the GitHub actions updated on new
releases. This will also help with keeping it secure.

Dependabot helps in keeping the supply chain secure:
https://docs.github.com/en/code-security/dependabot

GitHub actions up to dat: e
https://docs.github.com/en/code-security/dependabot/ \
  working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

dependency-update-tool:
https://github.com/ossf/scorecard/blob/main/docs/checks.md

Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
 2022-05-05 09:57:57 +00:00
OpenShift Merge Robot
2001161c78
Merge pull request #43 from ceph/devel 
sync downstream devel with upstream devel branch
 2021-11-19 06:01:12 +01:00
Niels de Vos
5c59a89b02 ci: add actions/retest to dependabot checks 
Adding actions/retest to the dependabot configuration makes sure all
vendored packages will get updated when new releases are available.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2021-11-18 07:52:29 +00:00
Niels de Vos
b95f3cdcbc ci: do not let dependabot automatically rebase 
When dependabot creates a PR, and an other gets merged, the bot
automatically triggers a rebase. This will drop any approvals, causing
delays in the review/merge process.

The project uses Mergify to automatically rebase when needed, and
approvals are retained when Mergify rebases PR. By disabling the
auto-rebasing done by dependabot, fewer rebases should be needed,
contributors only need to review once, and CI jobs are triggered less
often.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2021-11-03 03:25:08 +00:00
Niels de Vos
f7a024cf7b ci: disable dependabot PR creation 
Dependabot does not need to report available updates for vendored
dependencies in the downstream repository. Updates to dependencies are
synced from the upstream repository when needed. There is also the
"Upstream First" requirement, which we follow closely.

See-also: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#open-pull-requests-limit
Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2021-09-01 08:46:09 +02:00
Niels de Vos
e08d184984 ci: ignore k8s.io/kubernetes dependencies 
These dependencies are pulled in by k8s.io/kubernetes with version
v0.0.0. It is therefore required to use 'replace' in go.mod to select a
compatible version of the additional k8s.io packages.

Dependabot does not seem to update packages listed in 'replace', only
under 'require'. That means, the version updates done by Dependabot do
not have any effect, as the contents is replaced with a different
version anyway. Ignoring these packages prevents the creation of
non-functional PRs.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2021-08-31 09:03:12 +00:00
Niels de Vos
c17b3f69bd ci: add dependabot config for updating vendored packages 
Vendored dependencies need updating on regular basis. This is currently
done manually by developers, but it can be automated by Dependabot. By
dropping the dependabot.yml config file in the .github/ directory the
bot should get enabled.

See-also: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates
Signed-off-by: Niels de Vos <ndevos@redhat.com>
 2021-08-30 13:51:49 +00:00