`dependabot.yml` can be configured to ignore/accept certain type of updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file GitHub Actions workflow (`build.yml`) can be adapted to add/update a file along with the version update.
On Fri, Dec 2, 2022 at 6:19 PM Ralph Goers <ralph.go...@dslextreme.com> wrote: > One other thing. We have gotten in the habit of creating an “umbrella” > Jira issue to capture dependency changes within a release. We need to > ensure whatever is committed by Dependabot is also captured. > > Ralph > > > On Dec 2, 2022, at 10:05 AM, Matt Sicker <m...@musigma.org> wrote: > > > > This definitely looks like an interesting idea! Minor updates should > patch fairly painlessly, and we can form a list of dependencies over time > that shouldn’t auto-update. > > > >> On Dec 2, 2022, at 7:10 AM, Volkan Yazıcı <vol...@yazi.ci> wrote: > >> > >> In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am > >> overhauling the `log4j-tools` project. I have done something, if I may > say, > >> A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: > >> https://github.com/apache/logging-log4j-tools/pull/5 > >> > >> What is exactly happening in this PR? dependabot creates a PR for a > >> dependency update, CI executes the tests, tests succeed, CI merges the > PR, > >> and publishes the built SNAPSHOT artifact. No more manual dependency > >> updates! > > > >
