go-ceph is an important package that we consume. It is better to have
that as separate rebase PR from Dependabot and not include it in the
general GitHub package group.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Golang dependencies are already grouped, but they only contain packages
from `github.com/golang*`. There are more Golang standard packages that
are located at `golang.org/x/*`. Because of the tight relationship
between these packages, it is more efficient to group updates together.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
enable dependabot raising PR by groups to
reduce PR and save CI resources.
This uses the beta groups feature of dependabot
More details here
https://docs.github.com/en/code-security/\
dependabot/dependabot-version-updates/\
configuration-options-for-the-dependabot.yml-file#groups
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
as per the documentation `""` has to be mentioned for the schedule
interval value field. This commit ensures it and make it consistent.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Adding actions/retest to the dependabot configuration makes sure all
vendored packages will get updated when new releases are available.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
When dependabot creates a PR, and an other gets merged, the bot
automatically triggers a rebase. This will drop any approvals, causing
delays in the review/merge process.
The project uses Mergify to automatically rebase when needed, and
approvals are retained when Mergify rebases PR. By disabling the
auto-rebasing done by dependabot, fewer rebases should be needed,
contributors only need to review once, and CI jobs are triggered less
often.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
These dependencies are pulled in by k8s.io/kubernetes with version
v0.0.0. It is therefore required to use 'replace' in go.mod to select a
compatible version of the additional k8s.io packages.
Dependabot does not seem to update packages listed in 'replace', only
under 'require'. That means, the version updates done by Dependabot do
not have any effect, as the contents is replaced with a different
version anyway. Ignoring these packages prevents the creation of
non-functional PRs.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
