weekly builds #19
Comments
|
I've added this dependabot config to track the upstream OS and the python packages used. I haven't used dependabot before but it appears to be checking things correctly based off of this requirements.txt check and the related dockerfile check It appears that dependabot can tell when the whole debian image is updated, but it is not clear to me it could tell that e.g., the optional Are you aware of anything fancy that can do that or should I just bundle a weekly build script as well? |
|
Interesting, I was thinking of using the features of the repo here on Github, as opposed to a yaml file, but I don't know if there is an advantage one way or the other. |
|
My original comment was in the context of security, and getting alerts in a timely fashion. Not so much version updates which in my mind was a poetry thing, but of course we don't have poetry on this app right now, so let's forge ahead with what you have and see what all we can get out of dependabot if that sounds good to you. On the docker side, our base image we're relying on seems to have about a monthly refresh cycle so if we're doing latest and building weekly, we'll pick that up rapidly enough (sans major security events). dependabot version updates and security updates |
|
You can see what it's like to interact with dependabot here: https://github.com/UWIT-UE/slack-user-reconcile/pulls?q=is%3Apr+is%3Aclosed In UWIT-UE/slack-user-reconcile#14 you can see me conversing with dependabot. |
a regularly refreshed image is needed to address security issues.
The text was updated successfully, but these errors were encountered: