feat(deps): update dependabot config and add support for @node-core #377
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Pull Request Overview
This PR enhances dependency management by updating the Dependabot configuration and adding a custom workflow to handle @node-core/* packages that don't follow semantic versioning.
- Adds a new GitHub workflow to automatically upgrade
@node-core/*dependencies weekly - Reorganizes and expands Dependabot groups for better dependency management
- Excludes
@node-core/*packages from Dependabot to avoid conflicts with the custom workflow
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/update-internal-dependencies.yml | New workflow to upgrade @node-core/* dependencies using npm view and jq |
| .github/dependabot.yml | Updated dependency groups and excluded @node-core/* packages |
Comments suppressed due to low confidence (1)
.github/workflows/update-internal-dependencies.yml:22
- The actions/[email protected] version does not exist. The latest v3 version is v3.8.1. Consider using v4.x.x for the most recent version.
uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
|
We might need to use a bot pat to run the CI, since GitHub actions doesn't by default |
Can you elaborate? 👀 |
It's the same reason why @nodejs-github-bot performs dependency updates in https://github.com/nodejs/node. See https://docs.github.com/en/actions/concepts/security/github_token#when-github_token-triggers-workflow-runs. |
|
Should I request a bot token from admin? |
Im low capacity this week, so if the bot token is the path forward? I thought the default token would be enough (the one GHA injects), if not, feel free to request a token to admin, or better saying, ask them to configure it on this repo. |
Unfortunately not, I'll open an issue. |
| branch: 'upgrade-node-core-deps' | ||
| path: '.' | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
As requested by nodejs/admin#991, this should be
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_TOKEN: ${{ secrets.DOC_KIT_BOT_PAT }} |
This PR improves our Dependabot groups, and adds support for updating
@node-core/*packages, since Dependabot can't. (Because those packages don't currently follow semver)