janhoy opened a new issue, #19:
URL: https://github.com/apache/solr-orbit/issues/19
## Summary
Add a `.github/dependabot.yml` configuration file to enable GitHub
Dependabot for automated dependency updates across the repository.
## Motivation
The project has no automated mechanism for keeping dependencies up to date.
The recent CI failure (pylint 2.9.0 incompatible with Python 3.12) is an
example of a dependency that had been pinned for a long time without updates.
Dependabot would open automated PRs when newer versions are available, keeping
the dependency graph current and reducing the maintenance burden.
## Proposed configuration
Dependabot should be configured for at least:
- **`pip` (Python packages)** — `setup.py` lists runtime and dev
dependencies pinned to specific versions (e.g. `pylint==3.3.9`, `tox==3.14.0`,
`pysolr`, `requests`, etc.)
- **`github-actions`** — `.github/workflows/` uses several third-party
actions (e.g. `actions/checkout`, `actions/setup-python`); these should be kept
up to date for security.
A minimal `.github/dependabot.yml`:
```yaml
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
```
## Acceptance criteria
- [ ] `.github/dependabot.yml` added with `pip` and `github-actions`
ecosystems configured
- [ ] Dependabot PRs open automatically on the configured schedule
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
