From 7f169f079c0ffe21bd50a63b4bfbcc3cdae2a583 Mon Sep 17 00:00:00 2001 From: jason plumb <75337021+breedx-splk@users.noreply.github.com> Date: Mon, 16 Oct 2023 09:13:34 -0700 Subject: [PATCH] Add renovatebot as a dependency management option (#271) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add renovatebot as an option * very important linting * very important linting * Update specification/repository.md Co-authored-by: Robert Pająk * update changelog * Update CHANGELOG.md --------- Co-authored-by: Robert Pająk --- CHANGELOG.md | 1 + specification/repository.md | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c847575..e150cc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ - Require a CLA Assistant GitHub workflow. (#269) - Update the CLA notice in `CONTRIBUTING.md` template. (#269) +- Add Renovate as an acceptable alternative to Dependabot. (#271) ## [1.6.0] - 2023-09-14 diff --git a/specification/repository.md b/specification/repository.md index 5c4d365..ded293c 100644 --- a/specification/repository.md +++ b/specification/repository.md @@ -54,11 +54,25 @@ approval is granted, GDI repositories MUST NOT cut a GA release. - MUST lock the versions of all build dependencies (e.g. libraries, binaries, scripts, docker images) or vendor them; **EXCEPTION:** tools that are available out-of-the-box on the CI runner +- To help keep dependencies up to date, the repo MUST be configured with +[Dependabot](https://github.com/dependabot/dependabot-core) or [Renovate](https://github.com/apps/renovate). + +#### Dependabot + - MUST enable [Dependabot alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) - MUST grant access to alerts for the approvers and maintainers teams - MUST enable [Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates) - MUST configure [Dependabot version updates](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates) +#### Renovate + +Follow the steps below if you want to use Renovate to update the dependencies. + +- MUST add the repo to the [list of Renovatebot repos](https://github.com/organizations/signalfx/settings/installations/41531652). +- MUST add a +[Renovate config file](https://docs.renovatebot.com/configuration-options/) +to the repo. + ### GitHub Actions - MUST use [GitHub