Enable Dependabot version updates for Rust #52
Conversation
This enables grouped Dependabot version updates for Rust (`cargo`) dependencies. Previously, only GitHub Actions dependencies were updated with Dependabot in this repository; see ed59e97 (GitoxideLabs#43). The updates are grouped. So there is one one Dependabot version update PR for Rust dependencies per month, unless: - The Dependabot update check is manually triggered, *or* - `dependabot.yml` is changed (any change reruns update checks). Because Dependabot security updates are enabled, pull requests shall still be opened for those, immediately when an advisory enters the GHSA database, provided that Dependabot is actually able to create the update. (Dependabot security updates are separate from Dependabot version updates.)
|
Thank you, I really appreciate you setting up the repositories for a greatly improved security posture.
Indeed, but I'd also trust that dependency updates will be not ever be subtle enough to break the application unnoticed. |
This fixes a bug in the `dependabot.yml` configuration since GitoxideLabs#52, where we intend Dependabot to include the effect of `cargo update`, but this does not happen because `dependency-type: all` was not explicitly allowed. This does not make an analogous change to the Dependabot configuration for GitHub Actions, because `all` and `direct` currently have the same effect for them (and it is not obvious how it would work if that ever changes, or which we would prefer). For details on why this is needed for Dependabot to update most locked dependencies in `Cargo.lock` aside from the case where the update is done as part of updating a `Cargo.toml` dependency, see: - https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated - https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-allow
This fixes a bug in the `dependabot.yml` configuration since GitoxideLabs#52, where we intend Dependabot to include the effect of `cargo update`, but this does not happen because `dependency-type: all` was not explicitly allowed. This does not make an analogous change to the Dependabot configuration for GitHub Actions, because `all` and `direct` currently have the same effect for them (and it is not obvious how it would work if that ever changes, or which we would prefer). For details on why this is needed for Dependabot to update most locked dependencies in `Cargo.lock` aside from the case where the update is done as part of updating a `Cargo.toml` dependency, see: - https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated - https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-allow
This enables grouped Dependabot version updates for Rust (
cargo) dependencies. Previously, only GitHub Actions dependencies were updated with Dependabot in this repository; see ed59e97 (#43).The updates are grouped. So there is one one Dependabot version update PR for Rust dependencies per month, unless:
dependabot.ymlis changed (any change reruns update checks).Because Dependabot security updates are enabled, pull requests shall still be opened for those, immediately when an advisory enters the GHSA database, provided that Dependabot is actually able to create the update. (Dependabot security updates are separate from Dependabot version updates.)
Caveat
A possible reason not to enable Dependabot version updates is if the tests are not robust enough to most likely detect regressions arising from dependency changes. I am not knowledgeable enough about
cargo-smart-releaseto know if that could be a problem here.You have sometimes mentioned that the tests here would need expansion in order to facilitate the introduction of some new features, such as a feature to handle circular dependency relationships (discussed in GitoxideLabs/gitoxide#1510 and GitoxideLabs/gitoxide#1886).
However, my guess is that the tests as they currently stand might still be enough, taken together with reading changelogs, to catch most regressions that arise due to updating dependencies.
Integration considerations
This does not fix issue #50. For that, I have opened #51, in which I've updated all lockfile dependencies to their latest compatible versions. I recommend merging #51 before merging this PR, so that the first Dependabot version update PR better resembles what it would look like once actually in shape to be merged.
(If you don't want Dependabot version updates, then I recommend merging #51 and closing this PR unmerged.)
If this PR were merged before #51, it's not really a problem, but we would still probably want to fix issue #50 before merging a Dependabot version update PR that doesn't fix it, so things would be slightly more complicated and slightly more confusing.