[Infrastructure] Improve dependabot version updates

XMLWordPrintableJSON

    • Type: Task
    • Resolution: Done
    • Priority: Unknown
    • None
    • Affects Version/s: None
    • Component/s: Infrastructure
    • None
    • Python Drivers
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Context

      zizmor recommends using the cooldown option for dependabot - it avoids spurious errors like the one we reported as https://github.com/zizmorcore/zizmor-action/issues/73.
      Note that this only affects {}version{} updates, not {}security{} updates.

      Additionally, it appears that if you do not add a version comment, then dependabot will attempt to bump a version that isn't part of any release, which appears to have contributed to this problem.

      Definition of done

      Add cooldown to dependabot configurations, e.g.

        # update once a week, with a 7-day cooldown
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly
    cooldown:
      default-days: 7

      Also audit actions that use a hash to make sure they also use a version comment.

      Pitfalls

      None

            Assignee:
            Noah Stapp
            Reporter:
            Steve Silvester
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: