Skip to content

chore(dependabot): Extend depdentbot to cover release-1.4 branch#2526

Merged
susanshi merged 2 commits into
notaryproject:mainfrom
charleswool:chore/dependabot-release-1.4
May 26, 2026
Merged

chore(dependabot): Extend depdentbot to cover release-1.4 branch#2526
susanshi merged 2 commits into
notaryproject:mainfrom
charleswool:chore/dependabot-release-1.4

Conversation

@charleswool
Copy link
Copy Markdown
Contributor

@charleswool charleswool commented May 20, 2026

What this PR does

Extends .github/dependabot.yml so Dependabot opens dependency-update PRs against the release-1.4 maintenance branch in addition to main.

Dependabot only supports a single target-branch per updates: entry, so each of the existing ecosystem blocks (github-actions, gomod, docker /, docker /httpserver, docker /.devcontainer) is duplicated with target-branch: release-1.4. The same ignore rules are preserved on the release branch (no semver-major/minor gomod bumps; Go pinned at 1.22).

A release-1.4 label is added on those entries so the resulting PRs are easy to filter / triage.

Why

The release-1.4 branch is an active maintenance line but currently receives no automated dependency/CVE-fix PRs from Dependabot, so security and bug-fix backports have to be done manually. This change keeps it in sync automatically.

Notes

  • The Dependabot config file only needs to live on the default branch (main); the target-branch field is what controls where the resulting PRs are opened — so no changes to release-1.4 itself are required.
  • If the cadence on the release branch turns out to be too noisy, the schedule.interval on the release-1.4 entries can later be relaxed (e.g. monthly) independently.

Signed-off-by: charleswool charleswool@users.noreply.github.com

@charleswool
chore(dependabot): also raise update PRs for release-1.4 branch
f816afe 
Duplicate each updates entry with target-branch: release-1.4 so Dependabot opens dependency-update PRs against the release-1.4 maintenance branch in addition to main. Adds a 'release-1.4' label to the new entries for easy filtering.

Signed-off-by: charleswool <charleswool@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 20, 2026 05:48
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds Dependabot support for maintaining dependencies on the release-1.4 branch alongside the default branch.

Changes:

  • Introduces a dedicated release-1.4 section with target-branch for multiple ecosystems.
  • Configures labels and commit message prefixes for release-branch dependency PRs.
  • Restricts Go module updates on release-1.4 to patch-only by ignoring semver major/minor bumps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/dependabot.yml
directory: "/"
target-branch: "release-1.4"
schedule:
interval: "daily"
Copy link
Copy Markdown
Contributor

@fseldow fseldow May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment as bot

Copy link
Copy Markdown
Contributor

@fseldow fseldow May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the below schedules seem all weekly

@susanshi susanshi enabled auto-merge (squash) May 20, 2026 05:55
@codecov
Copy link
Copy Markdown

codecov Bot commented May 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.10%. Comparing base (9ca0530) to head (c1e8f05).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2526   +/-   ##
=======================================
  Coverage   77.10%   77.10%           
=======================================
  Files         105      105           
  Lines        4657     4657           
=======================================
  Hits         3591     3591           
  Misses        917      917           
  Partials      149      149

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@charleswool charleswool changed the title chore(dependabot): also raise update PRs for release-1.4 branch chore(dependabot): Extend depdentbot to cover release-1.4 branch May 21, 2026
@fseldow
Copy link
Copy Markdown
Contributor

fseldow commented May 21, 2026

lgtm for others

@susanshi susanshi merged commit 9c30230 into notaryproject:main May 26, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@susanshi susanshi susanshi approved these changes

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

+1 more reviewer

@fseldow fseldow fseldow left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@charleswool @fseldow @susanshi