Skip to content

Enhancement: Use dependabot#111

Merged
localheinz merged 1 commit intoJan0707:masterfrom
localheinz:feature/dependabot
Jun 14, 2020
Merged

Enhancement: Use dependabot#111
localheinz merged 1 commit intoJan0707:masterfrom
localheinz:feature/dependabot

Conversation

@localheinz
Copy link
Contributor

@localheinz localheinz commented Feb 5, 2020
edited
Loading

This PR

💁‍♂ This probably requires to set up Dependabot and disable Violinist - is this something you would be up for, @Jan0707?

@localheinz localheinz requested a review from Jan0707 February 5, 2020 09:43
@localheinz localheinz closed this Mar 1, 2020
@localheinz localheinz deleted the feature/dependabot branch March 1, 2020 09:32
@localheinz localheinz restored the feature/dependabot branch March 1, 2020 09:33
@localheinz localheinz reopened this Mar 1, 2020
@localheinz localheinz force-pushed the feature/dependabot branch from f7a7d54 to 2004768 Compare March 1, 2020 09:35
@localheinz localheinz force-pushed the feature/dependabot branch from 2004768 to b411eed Compare May 12, 2020 12:09
@Jan0707
Copy link
Owner

Jan0707 commented May 12, 2020

What's the benefit that we see here ?

@localheinz
Copy link
Contributor Author

localheinz commented May 12, 2020

@Jan0707

Dependabot can be configured to

  • update composer.json as well
  • automatically merge pull requests when the build passes

For reference, see https://dependabot.com/docs/config-file/.

I believe the most compelling argument is that pull requests can be automatically merged.

Apart from that, Dependabot has been acquired by GitHub and is the de-facto standard solution for updating dependencies for a wide range of package managers.

@localheinz
Copy link
Contributor Author

localheinz commented May 12, 2020

@Jan0707

Violinist currently updates composer.lock only, which is pretty much useless, as we run builds against lowest, locked, and highest versions.

@Jan0707
Copy link
Owner

Jan0707 commented May 12, 2020

I feel this would bind us even more to Github and its eco system. Is that a shared concern? If not then we could go ahead.

@Jan0707
Copy link
Owner

Jan0707 commented May 18, 2020

ping @localheinz
I assume you think this is a worthwhile trade-off ?

@localheinz localheinz force-pushed the feature/dependabot branch from b411eed to bba96b6 Compare June 14, 2020 22:40
@localheinz
Copy link
Contributor Author

localheinz commented Jun 14, 2020
edited
Loading

@Jan0707

With Dependabot moving natively into GitHub, I think that the switch makes a lot of sense.

In addition, the latest version of Dependabot allows updating GitHub Actions as well.

@localheinz localheinz merged commit 458c95a into Jan0707:master Jun 14, 2020
@localheinz localheinz deleted the feature/dependabot branch June 14, 2020 22:42
@violinist-bot violinist-bot mentioned this pull request Jun 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jan0707 Jan0707 Awaiting requested review from Jan0707 Jan0707 is a code owner

Assignees

@Jan0707 Jan0707

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@localheinz @Jan0707